diff --git a/hosts/trantor/fail2ban.nix b/hosts/trantor/fail2ban.nix index 4ef1bbc..bc05139 100644 --- a/hosts/trantor/fail2ban.nix +++ b/hosts/trantor/fail2ban.nix @@ -12,7 +12,6 @@ "192.168.0.0/16" "100.64.0.0/10" ]; - bantime = "1h"; bantime-increment = { enable = true; @@ -20,24 +19,5 @@ maxtime = "10000h"; overalljails = true; }; - - jails.forgejo = { - settings = { - enabled = true; - filter = "forgejo"; - backend = "systemd"; - maxretry = 10; - findtime = "1h"; - bantime = "15m"; - }; - }; }; - - # Custom fail2ban filter for Forgejo using systemd journal - environment.etc."fail2ban/filter.d/forgejo.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [Definition] - journalmatch = _SYSTEMD_UNIT=forgejo.service - failregex = Failed authentication attempt for .+ from :\d+: - ignoreregex = - ''); } diff --git a/hosts/trantor/forgejo.nix b/hosts/trantor/forgejo.nix index 25acf4e..4123c38 100644 --- a/hosts/trantor/forgejo.nix +++ b/hosts/trantor/forgejo.nix @@ -4,15 +4,16 @@ inputs, ... }: + let utils = import ../../utils.nix { inherit inputs lib; }; inherit (utils) mkNginxVHosts; in + { services = { forgejo = { enable = true; - repositoryRoot = "/data/forgejo"; settings = { session.COOKIE_SECURE = true; server = { @@ -42,17 +43,20 @@ in settings = { enabled = true; filter = "forgejo"; - logpath = "${config.services.forgejo.stateDir}/log/forgejo.log"; - maxretry = 10; - findtime = "1h"; - bantime = "15m"; + maxretry = 3; + findtime = "10m"; + bantime = "1h"; }; }; }; - environment.etc."fail2ban/filter.d/forgejo.conf".text = '' - [Definition] - failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from - ignoreregex = - ''; + environment = { + etc."fail2ban/filter.d/forgejo.conf".text = '' + [Definition] + failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from + ignoreregex = + journalmatch = _SYSTEMD_UNIT=forgejo.service + ''; + persistence.main.directories = [ "/var/lib/forgejo" ]; + }; } diff --git a/hosts/trantor/openssh.nix b/hosts/trantor/openssh.nix index 51d8795..704b3df 100644 --- a/hosts/trantor/openssh.nix +++ b/hosts/trantor/openssh.nix @@ -14,7 +14,7 @@ port = "ssh"; filter = "sshd"; logpath = "/var/log/auth.log"; - maxretry = 5; + maxretry = 3; findtime = "10m"; bantime = "1h"; };