machines/magenta: add fail2ban module ssh+gitea

This commit is contained in:
Dmitriy Pleshevskiy 2022-10-20 01:28:29 +03:00
parent 792007ac4f
commit cdc8e5fbd2
Signed by: pleshevskiy
GPG key ID: 1B59187B161C0215
2 changed files with 20 additions and 2 deletions

View file

@ -7,9 +7,11 @@ in
imports = [
./hardware-configuration.nix
./networking.nix # generated at runtime by nixos-infect
../modules/common.nix
../modules/nix.nix
../modules/nginx.nix
./services/mailserver.nix
./services/gitea.nix
];
@ -25,4 +27,6 @@ in
acceptTerms = true;
defaults.email = "dmitriy@pleshevski.ru";
};
services.fail2ban.enable = true;
}

View file

@ -33,7 +33,7 @@ in
lfs.enable = true;
settings = {
log = {
LEVEL = "Debug";
LEVEL = "Info";
ENABLE_SSH_LOG = true;
};
database = {
@ -41,7 +41,6 @@ in
LOG_SQL = false;
};
server = {
DISABLE_ROUTER_LOG = true;
LANDING_PAGE = "explore";
};
service = {
@ -116,4 +115,19 @@ in
owner = config.services.gitea.user;
group = "gitea";
};
services.fail2ban.jails.gitea = ''
enabled = true
filter = gitea
findtime = 3600
bantime = 900
action = iptables-allports
'';
environment.etc."fail2ban/filter.d/gitea.conf".source = pkgs.writeText "gitea.conf" ''
[Definition]
failregex = .*Failed authentication attempt for .* from <HOST>
ignoreregex =
journalmatch = _SYSTEMD_UNIT=gitea.service
'';
}