Add fail2ban configuration for SSH and Forgejo on Trantor

- Configure fail2ban with progressive ban times (1h base, up to 10000h max) - Add SSH jail with password authentication disabled - Add Forgejo jail using systemd journal backend - Ignore private networks and Tailscale IPs - Set Forgejo to 10 retries per hour, 15min initial ban 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-09 13:00:17 -03:00 · 2025-11-09 13:00:17 -03:00 · f1b6be6f3f
commit f1b6be6f3f
parent cd17bf2561
3 changed files with 107 additions and 24 deletions
--- a/hosts/trantor/forgejo.nix
+++ b/hosts/trantor/forgejo.nix
@ -9,33 +9,50 @@ let
  inherit (utils) mkNginxVHosts;
 in
 {
-  services.forgejo = {
-    enable = true;
-    repositoryRoot = "/data/forgejo";
-    settings = {
-      session.COOKIE_SECURE = true;
-      server = {
-        PROTOCOL = "http+unix";
-        DOMAIN = "git.baduhai.dev";
-        ROOT_URL = "https://git.baduhai.dev";
-        OFFLINE_MODE = true; # disable use of CDNs
-        SSH_DOMAIN = "baduhai.dev";
+  services = {
+    forgejo = {
+      enable = true;
+      repositoryRoot = "/data/forgejo";
+      settings = {
+        session.COOKIE_SECURE = true;
+        server = {
+          PROTOCOL = "http+unix";
+          DOMAIN = "git.baduhai.dev";
+          ROOT_URL = "https://git.baduhai.dev";
+          OFFLINE_MODE = true; # disable use of CDNs
+          SSH_DOMAIN = "baduhai.dev";
+        };
+        log.LEVEL = "Warn";
+        mailer.ENABLED = false;
+        actions.ENABLED = false;
+        service.DISABLE_REGISTRATION = true;
+        oauth2_client = {
+          ENABLE_AUTO_REGISTRATION = true;
+          UPDATE_AVATAR = true;
+          ACCOUNT_LINKING = "login";
+          USERNAME = "preferred_username";
+        };
      };
-      log.LEVEL = "Warn";
-      mailer.ENABLED = false;
-      actions.ENABLED = false;
-      service.DISABLE_REGISTRATION = true;
-      oauth2_client = {
-        ENABLE_AUTO_REGISTRATION = true;
-        UPDATE_AVATAR = true;
-        ACCOUNT_LINKING = "login";
-        USERNAME = "preferred_username";
+    };
+    nginx.virtualHosts = mkNginxVHosts {
+      domains."git.baduhai.dev".locations."/".proxyPass =
+        "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
+    };
+    fail2ban.jails.forgejo = {
+      settings = {
+        enabled = true;
+        filter = "forgejo";
+        logpath = "${config.services.forgejo.stateDir}/log/forgejo.log";
+        maxretry = 10;
+        findtime = "1h";
+        bantime = "15m";
      };
    };
  };

-  services.nginx.virtualHosts = mkNginxVHosts {
-    domains."git.baduhai.dev".locations."/".proxyPass =
-      "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
-  };
+  environment.etc."fail2ban/filter.d/forgejo.conf".text = ''
+    [Definition]
+    failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+    ignoreregex =
+  '';
 }