Overrding sshd jail in fail2ban without redeclaring it entirely

I want to set the mode for the sshd jail to aggressive. Is there a way to extend this built-in jail without redeclaring it entirely in services.fail2ban.jails? Since the sshd jail comes with NixOS I was expecting it to be configurable declaratively.

An alternative I see is setting mode for all jails in services.fail2ban.extraSettings but I only want to set it for sshd at this time.

You can try mkAfter, e.g., like so:

services.fail2ban.jails.sshd = lib.mkAfter ''
  mode = aggressive
1 Like

This does not work unfortunately. The result is that only this one line is added to the jail configuration instead of being appended to the other lines.

Try lib.mkDefault (lib.mkAfter ...)?

1 Like

This works, thanks.

For future reference, this is the entire expression:

  services.fail2ban = {
    jails = {
      sshd = lib.mkDefault (lib.mkAfter ''mode = aggressive'');        

With NixOS 23.11 setting these parameters separately is now possible:

  services.fail2ban = {
    # Your other options here
    # ...
    jails.sshd.settings = {                     
      mode = "aggressive"; 
      publickey = "invalid";