William
f1b6be6f3f
- Configure fail2ban with progressive ban times (1h base, up to 10000h max) - Add SSH jail with password authentication disabled - Add Forgejo jail using systemd journal backend - Ignore private networks and Tailscale IPs - Set Forgejo to 10 retries per hour, 15min initial ban 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
43 lines
938 B
Nix
43 lines
938 B
Nix
{ config, pkgs, ... }:
|
|
|
|
{
|
|
services.fail2ban = {
|
|
enable = true;
|
|
maxretry = 5;
|
|
ignoreIP = [
|
|
"127.0.0.0/8"
|
|
"::1"
|
|
"10.0.0.0/8"
|
|
"172.16.0.0/12"
|
|
"192.168.0.0/16"
|
|
"100.64.0.0/10"
|
|
];
|
|
|
|
bantime = "1h";
|
|
bantime-increment = {
|
|
enable = true;
|
|
multipliers = "1 2 4 8 16 32 64";
|
|
maxtime = "10000h";
|
|
overalljails = true;
|
|
};
|
|
|
|
jails.forgejo = {
|
|
settings = {
|
|
enabled = true;
|
|
filter = "forgejo";
|
|
backend = "systemd";
|
|
maxretry = 10;
|
|
findtime = "1h";
|
|
bantime = "15m";
|
|
};
|
|
};
|
|
};
|
|
|
|
# Custom fail2ban filter for Forgejo using systemd journal
|
|
environment.etc."fail2ban/filter.d/forgejo.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
|
|
[Definition]
|
|
journalmatch = _SYSTEMD_UNIT=forgejo.service
|
|
failregex = Failed authentication attempt for .+ from <HOST>:\d+:
|
|
ignoreregex =
|
|
'');
|
|
}
|