From 066166cf496e5d5b2b4ea681d2d43246c995b7ef Mon Sep 17 00:00:00 2001
From: datafoo <34766150+datafoo@users.noreply.github.com>
Date: Wed, 19 Apr 2023 14:11:40 +0200
Subject: nixos/fail2ban: add extraSettings option

---
 nixos/modules/services/security/fail2ban.nix | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'nixos/modules/services/security')

diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix
index 1962d3f59c9f..93962d40ce4b 100644
--- a/nixos/modules/services/security/fail2ban.nix
+++ b/nixos/modules/services/security/fail2ban.nix
@@ -209,6 +209,20 @@ in
        '';
       };
 
+      extraSettings = mkOption {
+        type = with types; attrsOf (oneOf [ bool ints.positive str ]);
+        default = {};
+        description = lib.mdDoc ''
+          Extra default configuration for all jails (i.e. `[DEFAULT]`). See
+          <https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf> for an overview.
+        '';
+        example = literalExpression ''
+          {
+            findtime = "15m";
+          }
+        '';
+      };
+
       jails = mkOption {
         default = { };
         example = literalExpression ''
@@ -335,6 +349,10 @@ in
       # Actions
       banaction   = ${cfg.banaction}
       banaction_allports = ${cfg.banaction-allports}
+      ${optionalString (cfg.extraSettings != {}) ''
+        # Extra settings
+        ${generators.toKeyValue {} cfg.extraSettings}
+      ''}
     '';
     # Block SSH if there are too many failing connection attempts.
     # Benefits from verbose sshd logging to observe failed login attempts,
-- 
cgit 1.4.1