fail2ban: fix config; forgejo: repository path and persistency
This commit is contained in:
parent
5906fa6f36
commit
ae6d46012b
3 changed files with 25 additions and 31 deletions
|
|
@ -12,7 +12,6 @@
|
||||||
"192.168.0.0/16"
|
"192.168.0.0/16"
|
||||||
"100.64.0.0/10"
|
"100.64.0.0/10"
|
||||||
];
|
];
|
||||||
|
|
||||||
bantime = "1h";
|
bantime = "1h";
|
||||||
bantime-increment = {
|
bantime-increment = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
@ -20,24 +19,5 @@
|
||||||
maxtime = "10000h";
|
maxtime = "10000h";
|
||||||
overalljails = true;
|
overalljails = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
jails.forgejo = {
|
|
||||||
settings = {
|
|
||||||
enabled = true;
|
|
||||||
filter = "forgejo";
|
|
||||||
backend = "systemd";
|
|
||||||
maxretry = 10;
|
|
||||||
findtime = "1h";
|
|
||||||
bantime = "15m";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# Custom fail2ban filter for Forgejo using systemd journal
|
|
||||||
environment.etc."fail2ban/filter.d/forgejo.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
|
|
||||||
[Definition]
|
|
||||||
journalmatch = _SYSTEMD_UNIT=forgejo.service
|
|
||||||
failregex = Failed authentication attempt for .+ from <HOST>:\d+:
|
|
||||||
ignoreregex =
|
|
||||||
'');
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -4,15 +4,16 @@
|
||||||
inputs,
|
inputs,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
|
|
||||||
let
|
let
|
||||||
utils = import ../../utils.nix { inherit inputs lib; };
|
utils = import ../../utils.nix { inherit inputs lib; };
|
||||||
inherit (utils) mkNginxVHosts;
|
inherit (utils) mkNginxVHosts;
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
services = {
|
services = {
|
||||||
forgejo = {
|
forgejo = {
|
||||||
enable = true;
|
enable = true;
|
||||||
repositoryRoot = "/data/forgejo";
|
|
||||||
settings = {
|
settings = {
|
||||||
session.COOKIE_SECURE = true;
|
session.COOKIE_SECURE = true;
|
||||||
server = {
|
server = {
|
||||||
|
|
@ -42,17 +43,30 @@ in
|
||||||
settings = {
|
settings = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
filter = "forgejo";
|
filter = "forgejo";
|
||||||
logpath = "${config.services.forgejo.stateDir}/log/forgejo.log";
|
maxretry = 3;
|
||||||
maxretry = 10;
|
findtime = "10m";
|
||||||
findtime = "1h";
|
bantime = "1h";
|
||||||
bantime = "15m";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.etc."fail2ban/filter.d/forgejo.conf".text = ''
|
environment = {
|
||||||
[Definition]
|
etc."fail2ban/filter.d/forgejo.conf".text = ''
|
||||||
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
|
[Definition]
|
||||||
ignoreregex =
|
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
|
||||||
'';
|
ignoreregex =
|
||||||
|
journalmatch = _SYSTEMD_UNIT=forgejo.service
|
||||||
|
'';
|
||||||
|
|
||||||
|
persistence.main.directories = [
|
||||||
|
{
|
||||||
|
directory = config.services.forgejo.stateDir;
|
||||||
|
inherit (config.services.forgejo) user group;
|
||||||
|
mode = "0700";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Disable PrivateMounts to allow LoadCredential to work with bind-mounted directories
|
||||||
|
systemd.services.forgejo.serviceConfig.PrivateMounts = lib.mkForce false;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -14,7 +14,7 @@
|
||||||
port = "ssh";
|
port = "ssh";
|
||||||
filter = "sshd";
|
filter = "sshd";
|
||||||
logpath = "/var/log/auth.log";
|
logpath = "/var/log/auth.log";
|
||||||
maxretry = 5;
|
maxretry = 3;
|
||||||
findtime = "10m";
|
findtime = "10m";
|
||||||
bantime = "1h";
|
bantime = "1h";
|
||||||
};
|
};
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue