fail2ban: fix config; forgejo: repository path and persistency

2025-11-09 16:57:17 -03:00 · 2025-11-09 16:57:17 -03:00 · 8e491dbe5e
commit 8e491dbe5e
parent 5906fa6f36
3 changed files with 15 additions and 31 deletions
--- a/hosts/trantor/fail2ban.nix
+++ b/hosts/trantor/fail2ban.nix
@ -12,7 +12,6 @@
      "192.168.0.0/16"
      "100.64.0.0/10"
    ];
-
    bantime = "1h";
    bantime-increment = {
      enable = true;
@ -20,24 +19,5 @@
      maxtime = "10000h";
      overalljails = true;
    };
-
-    jails.forgejo = {
-      settings = {
-        enabled = true;
-        filter = "forgejo";
-        backend = "systemd";
-        maxretry = 10;
-        findtime = "1h";
-        bantime = "15m";
  };
-    };
-  };
-
-  # Custom fail2ban filter for Forgejo using systemd journal
-  environment.etc."fail2ban/filter.d/forgejo.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
-    [Definition]
-    journalmatch = _SYSTEMD_UNIT=forgejo.service
-    failregex = Failed authentication attempt for .+ from <HOST>:\d+:
-    ignoreregex =
-  '');
 }
--- a/hosts/trantor/forgejo.nix
+++ b/hosts/trantor/forgejo.nix
@ -4,15 +4,16 @@
  inputs,
  ...
 }:
+
 let
  utils = import ../../utils.nix { inherit inputs lib; };
  inherit (utils) mkNginxVHosts;
 in
+
 {
  services = {
    forgejo = {
      enable = true;
-      repositoryRoot = "/data/forgejo";
      settings = {
        session.COOKIE_SECURE = true;
        server = {
@ -42,17 +43,20 @@ in
      settings = {
        enabled = true;
        filter = "forgejo";
-        logpath = "${config.services.forgejo.stateDir}/log/forgejo.log";
-        maxretry = 10;
-        findtime = "1h";
-        bantime = "15m";
+        maxretry = 3;
+        findtime = "10m";
+        bantime = "1h";
      };
    };
  };

-  environment.etc."fail2ban/filter.d/forgejo.conf".text = ''
+  environment = {
+    etc."fail2ban/filter.d/forgejo.conf".text = ''
      [Definition]
      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
      ignoreregex =
+      journalmatch = _SYSTEMD_UNIT=forgejo.service
    '';
+    persistence.main.directories = [ "/var/lib/forgejo" ];
+  };
 }
--- a/hosts/trantor/openssh.nix
+++ b/hosts/trantor/openssh.nix
@ -14,7 +14,7 @@
        port = "ssh";
        filter = "sshd";
        logpath = "/var/log/auth.log";
-        maxretry = 5;
+        maxretry = 3;
        findtime = "10m";
        bantime = "1h";
      };