machines/magenta: add fail2ban module ssh+gitea

2022-10-20 01:28:29 +03:00 · 2022-10-20 01:28:29 +03:00 · cdc8e5fbd2
commit cdc8e5fbd2
parent 792007ac4f
2 changed files with 20 additions and 2 deletions
--- a/machines/magenta/default.nix
+++ b/machines/magenta/default.nix
@ -7,9 +7,11 @@ in
  imports = [
    ./hardware-configuration.nix
    ./networking.nix # generated at runtime by nixos-infect
+
    ../modules/common.nix
    ../modules/nix.nix
    ../modules/nginx.nix
+
    ./services/mailserver.nix
    ./services/gitea.nix
  ];
@ -25,4 +27,6 @@ in
    acceptTerms = true;
    defaults.email = "dmitriy@pleshevski.ru";
  };
+
+  services.fail2ban.enable = true;
 }
--- a/machines/magenta/services/gitea.nix
+++ b/machines/magenta/services/gitea.nix
@ -33,7 +33,7 @@ in
    lfs.enable = true;
    settings = {
      log = {
-        LEVEL = "Debug";
+        LEVEL = "Info";
        ENABLE_SSH_LOG = true;
      };
      database = {
@ -41,7 +41,6 @@ in
        LOG_SQL = false;
      };
      server = {
-        DISABLE_ROUTER_LOG = true;
        LANDING_PAGE = "explore";
      };
      service = {
@ -116,4 +115,19 @@ in
    owner = config.services.gitea.user;
    group = "gitea";
  };
+
+  services.fail2ban.jails.gitea = ''
+    enabled = true
+    filter = gitea
+    findtime = 3600
+    bantime = 900
+    action = iptables-allports
+  '';
+
+  environment.etc."fail2ban/filter.d/gitea.conf".source = pkgs.writeText "gitea.conf" ''
+    [Definition]
+    failregex = .*Failed authentication attempt for .* from <HOST>
+    ignoreregex =
+    journalmatch = _SYSTEMD_UNIT=gitea.service
+  '';
 }