From c3ef1897997083429af6581ca6509a0cd33d5a19 Mon Sep 17 00:00:00 2001 From: lew Date: Tue, 7 Apr 2026 14:28:39 +0100 Subject: [PATCH] feat: fail2ban --- hosts/lab/default.nix | 1 + hosts/lab/fail2ban.nix | 61 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 hosts/lab/fail2ban.nix diff --git a/hosts/lab/default.nix b/hosts/lab/default.nix index e1bfa2e..fdc0d90 100644 --- a/hosts/lab/default.nix +++ b/hosts/lab/default.nix @@ -7,6 +7,7 @@ ./dokuwiki.nix ./forgejo.nix ./wynne.nix + ./fail2ban.nix ]; networking.hostName = "lab"; diff --git a/hosts/lab/fail2ban.nix b/hosts/lab/fail2ban.nix new file mode 100644 index 0000000..5ca03bd --- /dev/null +++ b/hosts/lab/fail2ban.nix @@ -0,0 +1,61 @@ +{ ... }: +{ + services.fail2ban = { + enable = true; + maxretry = 5; + bantime = "1h"; + bantime-increment = { + enable = true; + maxtime = "168h"; + overalljails = true; + }; + ignoreIP = [ "127.0.0.1/8" "::1" ]; + + jails = { + # SSH jail auto-created by NixOS — just tighten the limits + sshd.settings = { + maxretry = 3; + findtime = "15m"; + }; + + forgejo.settings = { + enabled = true; + port = "http,https,4201"; + filter = "forgejo"; + backend = "systemd"; + journalmatch = "_SYSTEMD_UNIT=forgejo.service"; + maxretry = 5; + findtime = "10m"; + }; + + caddy-status.settings = { + enabled = true; + port = "http,https"; + filter = "caddy-status"; + backend = "systemd"; + journalmatch = "_SYSTEMD_UNIT=caddy.service"; + maxretry = 10; + findtime = "10m"; + }; + }; + }; + + # Enable Caddy access logging (to journal via stderr) + services.caddy.globalConfig = '' + servers { + logs + } + ''; + + environment.etc."fail2ban/filter.d/forgejo.conf".text = '' + [Definition] + failregex = ^.*Failed authentication attempt for .* from + ignoreregex = + ''; + + environment.etc."fail2ban/filter.d/caddy-status.conf".text = '' + [Definition] + failregex = ^.*"client_ip":"".*"status":\s*(401|403) + ignoreregex = + ''; +}