machines/magenta: add fail2ban module ssh+gitea

This commit is contained in:
Dmitriy Pleshevskiy 2022-10-20 01:28:29 +03:00
parent 792007ac4f
commit cdc8e5fbd2
Signed by: pleshevskiy
GPG key ID: 1B59187B161C0215
2 changed files with 20 additions and 2 deletions

View file

@ -7,9 +7,11 @@ in
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./networking.nix # generated at runtime by nixos-infect ./networking.nix # generated at runtime by nixos-infect
../modules/common.nix ../modules/common.nix
../modules/nix.nix ../modules/nix.nix
../modules/nginx.nix ../modules/nginx.nix
./services/mailserver.nix ./services/mailserver.nix
./services/gitea.nix ./services/gitea.nix
]; ];
@ -25,4 +27,6 @@ in
acceptTerms = true; acceptTerms = true;
defaults.email = "dmitriy@pleshevski.ru"; defaults.email = "dmitriy@pleshevski.ru";
}; };
services.fail2ban.enable = true;
} }

View file

@ -33,7 +33,7 @@ in
lfs.enable = true; lfs.enable = true;
settings = { settings = {
log = { log = {
LEVEL = "Debug"; LEVEL = "Info";
ENABLE_SSH_LOG = true; ENABLE_SSH_LOG = true;
}; };
database = { database = {
@ -41,7 +41,6 @@ in
LOG_SQL = false; LOG_SQL = false;
}; };
server = { server = {
DISABLE_ROUTER_LOG = true;
LANDING_PAGE = "explore"; LANDING_PAGE = "explore";
}; };
service = { service = {
@ -116,4 +115,19 @@ in
owner = config.services.gitea.user; owner = config.services.gitea.user;
group = "gitea"; group = "gitea";
}; };
services.fail2ban.jails.gitea = ''
enabled = true
filter = gitea
findtime = 3600
bantime = 900
action = iptables-allports
'';
environment.etc."fail2ban/filter.d/gitea.conf".source = pkgs.writeText "gitea.conf" ''
[Definition]
failregex = .*Failed authentication attempt for .* from <HOST>
ignoreregex =
journalmatch = _SYSTEMD_UNIT=gitea.service
'';
} }