From cdc8e5fbd224358bbcc02498076ac427232146d0 Mon Sep 17 00:00:00 2001 From: Dmitriy Pleshevskiy Date: Thu, 20 Oct 2022 01:28:29 +0300 Subject: [PATCH] machines/magenta: add fail2ban module ssh+gitea --- machines/magenta/default.nix | 4 ++++ machines/magenta/services/gitea.nix | 18 ++++++++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/machines/magenta/default.nix b/machines/magenta/default.nix index 4b484f4..6431fb1 100644 --- a/machines/magenta/default.nix +++ b/machines/magenta/default.nix @@ -7,9 +7,11 @@ in imports = [ ./hardware-configuration.nix ./networking.nix # generated at runtime by nixos-infect + ../modules/common.nix ../modules/nix.nix ../modules/nginx.nix + ./services/mailserver.nix ./services/gitea.nix ]; @@ -25,4 +27,6 @@ in acceptTerms = true; defaults.email = "dmitriy@pleshevski.ru"; }; + + services.fail2ban.enable = true; } diff --git a/machines/magenta/services/gitea.nix b/machines/magenta/services/gitea.nix index 52d0b21..6f25faf 100644 --- a/machines/magenta/services/gitea.nix +++ b/machines/magenta/services/gitea.nix @@ -33,7 +33,7 @@ in lfs.enable = true; settings = { log = { - LEVEL = "Debug"; + LEVEL = "Info"; ENABLE_SSH_LOG = true; }; database = { @@ -41,7 +41,6 @@ in LOG_SQL = false; }; server = { - DISABLE_ROUTER_LOG = true; LANDING_PAGE = "explore"; }; service = { @@ -116,4 +115,19 @@ in owner = config.services.gitea.user; group = "gitea"; }; + + services.fail2ban.jails.gitea = '' + enabled = true + filter = gitea + findtime = 3600 + bantime = 900 + action = iptables-allports + ''; + + environment.etc."fail2ban/filter.d/gitea.conf".source = pkgs.writeText "gitea.conf" '' + [Definition] + failregex = .*Failed authentication attempt for .* from + ignoreregex = + journalmatch = _SYSTEMD_UNIT=gitea.service + ''; }