lew/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: simplifies fail2ban config

Browse source
This commit is contained in:
Lewis Wynne 2026-04-07 21:16:09 +01:00
parent add77df77f
commit 8c0db938fc
1 changed files with 0 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

25
hosts/lab/fail2ban.nix
View file

@ -2,17 +2,13 @@
{ {
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;
maxretry = 5;
bantime = "1h";
bantime-increment = { bantime-increment = {
enable = true; enable = true;
maxtime = "168h"; maxtime = "168h";
overalljails = true; overalljails = true;
}; };
ignoreIP = [ "127.0.0.1/8" "::1" ];
jails = { jails = {
# SSH jail auto-created by NixOS — just tighten the limits
sshd.settings = { sshd.settings = {
maxretry = 3; maxretry = 3;
findtime = "15m"; findtime = "15m";
@ -24,34 +20,13 @@
filter = "forgejo"; filter = "forgejo";
backend = "systemd"; backend = "systemd";
journalmatch = "_SYSTEMD_UNIT=forgejo.service"; journalmatch = "_SYSTEMD_UNIT=forgejo.service";
maxretry = 5;
findtime = "10m";
};
caddy-status.settings = {
enabled = true;
port = "http,https";
filter = "caddy-status";
backend = "systemd";
journalmatch = "_SYSTEMD_UNIT=caddy.service";
maxretry = 10;
findtime = "10m";
}; };
}; };
}; };
# Each virtualHost already has a `log` block for access logging.
# The global `servers { logs }` directive was removed in Caddy 2.11.
environment.etc."fail2ban/filter.d/forgejo.conf".text = '' environment.etc."fail2ban/filter.d/forgejo.conf".text = ''
[Definition] [Definition]
failregex = ^.*Failed authentication attempt for .* from <HOST> failregex = ^.*Failed authentication attempt for .* from <HOST>
ignoreregex = ignoreregex =
''; '';
environment.etc."fail2ban/filter.d/caddy-status.conf".text = ''
[Definition]
failregex = ^.*"client_ip":"<HOST>".*"status":\s*(401|403)
ignoreregex =
'';
} }