william/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add fail2ban configuration for SSH and Forgejo on Trantor

Browse source 
- Configure fail2ban with progressive ban times (1h base, up to 10000h max)
- Add SSH jail with password authentication disabled
- Add Forgejo jail using systemd journal backend
- Ignore private networks and Tailscale IPs
- Set Forgejo to 10 retries per hour, 15min initial ban

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
William 2025-11-09 13:00:17 -03:00
parent cd17bf2561
commit f1b6be6f3f
3 changed files with 107 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

43
hosts/trantor/fail2ban.nix Normal file
View file

@ -0,0 +1,43 @@
{ config, pkgs, ... }:
{
services.fail2ban = {
enable = true;
maxretry = 5;
ignoreIP = [
"127.0.0.0/8"
"::1"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"100.64.0.0/10"
];
bantime = "1h";
bantime-increment = {
enable = true;
multipliers = "1 2 4 8 16 32 64";
maxtime = "10000h";
overalljails = true;
};
jails.forgejo = {
settings = {
enabled = true;
filter = "forgejo";
backend = "systemd";
maxretry = 10;
findtime = "1h";
bantime = "15m";
};
};
};
# Custom fail2ban filter for Forgejo using systemd journal
environment.etc."fail2ban/filter.d/forgejo.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
journalmatch = _SYSTEMD_UNIT=forgejo.service
failregex = Failed authentication attempt for .+ from <HOST>:\d+:
ignoreregex =
'');
}

65
hosts/trantor/forgejo.nix
View file

@ -9,33 +9,50 @@ let
inherit (utils) mkNginxVHosts; inherit (utils) mkNginxVHosts;
in in
{ {
services.forgejo = { services = {
enable = true; forgejo = {
repositoryRoot = "/data/forgejo"; enable = true;
settings = { repositoryRoot = "/data/forgejo";
session.COOKIE_SECURE = true; settings = {
server = { session.COOKIE_SECURE = true;
PROTOCOL = "http+unix"; server = {
DOMAIN = "git.baduhai.dev"; PROTOCOL = "http+unix";
ROOT_URL = "https://git.baduhai.dev"; DOMAIN = "git.baduhai.dev";
OFFLINE_MODE = true; # disable use of CDNs ROOT_URL = "https://git.baduhai.dev";
SSH_DOMAIN = "baduhai.dev"; OFFLINE_MODE = true; # disable use of CDNs
SSH_DOMAIN = "baduhai.dev";
};
log.LEVEL = "Warn";
mailer.ENABLED = false;
actions.ENABLED = false;
service.DISABLE_REGISTRATION = true;
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
UPDATE_AVATAR = true;
ACCOUNT_LINKING = "login";
USERNAME = "preferred_username";
};
}; };
log.LEVEL = "Warn"; };
mailer.ENABLED = false; nginx.virtualHosts = mkNginxVHosts {
actions.ENABLED = false; domains."git.baduhai.dev".locations."/".proxyPass =
service.DISABLE_REGISTRATION = true; "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
oauth2_client = { };
ENABLE_AUTO_REGISTRATION = true; fail2ban.jails.forgejo = {
UPDATE_AVATAR = true; settings = {
ACCOUNT_LINKING = "login"; enabled = true;
USERNAME = "preferred_username"; filter = "forgejo";
logpath = "${config.services.forgejo.stateDir}/log/forgejo.log";
maxretry = 10;
findtime = "1h";
bantime = "15m";
}; };
}; };
}; };
services.nginx.virtualHosts = mkNginxVHosts { environment.etc."fail2ban/filter.d/forgejo.conf".text = ''
domains."git.baduhai.dev".locations."/".proxyPass = [Definition]
"http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/"; failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
}; ignoreregex =
'';
} }

23
hosts/trantor/openssh.nix Normal file
View file

@ -0,0 +1,23 @@
{ ... }:
{
services = {
openssh = {
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
fail2ban.jails.sshd = {
settings = {
enabled = true;
port = "ssh";
filter = "sshd";
logpath = "/var/log/auth.log";
maxretry = 5;
findtime = "10m";
bantime = "1h";
};
};
};
}