Overrding sshd jail in fail2ban without redeclaring it entirely

tiez · November 26, 2023, 9:45pm

I want to set the mode for the sshd jail to aggressive. Is there a way to extend this built-in jail without redeclaring it entirely in services.fail2ban.jails? Since the sshd jail comes with NixOS I was expecting it to be configurable declaratively.

An alternative I see is setting mode for all jails in services.fail2ban.extraSettings but I only want to set it for sshd at this time.

philippW · November 27, 2023, 3:48am

You can try mkAfter, e.g., like so:

services.fail2ban.jails.sshd = lib.mkAfter ''
  mode = aggressive
'';

tiez · November 28, 2023, 10:26pm

This does not work unfortunately. The result is that only this one line is added to the jail configuration instead of being appended to the other lines.

rhendric · November 28, 2023, 10:42pm

Try lib.mkDefault (lib.mkAfter ...)?

tiez · November 28, 2023, 11:36pm

This works, thanks.

For future reference, this is the entire expression:

  services.fail2ban = {
    jails = {
      sshd = lib.mkDefault (lib.mkAfter ''mode = aggressive'');        
    };
  };

tiez · December 2, 2023, 9:25am

With NixOS 23.11 setting these parameters separately is now possible:

  services.fail2ban = {
    # Your other options here
    # ...
    jails.sshd.settings = {                     
      mode = "aggressive"; 
      publickey = "invalid";
    };
  };