From c3ef1897997083429af6581ca6509a0cd33d5a19 Mon Sep 17 00:00:00 2001 From: lew Date: Tue, 7 Apr 2026 14:28:39 +0100 Subject: [PATCH 1/2] feat: fail2ban --- hosts/lab/default.nix | 1 + hosts/lab/fail2ban.nix | 61 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 hosts/lab/fail2ban.nix diff --git a/hosts/lab/default.nix b/hosts/lab/default.nix index e1bfa2e..fdc0d90 100644 --- a/hosts/lab/default.nix +++ b/hosts/lab/default.nix @@ -7,6 +7,7 @@ ./dokuwiki.nix ./forgejo.nix ./wynne.nix + ./fail2ban.nix ]; networking.hostName = "lab"; diff --git a/hosts/lab/fail2ban.nix b/hosts/lab/fail2ban.nix new file mode 100644 index 0000000..5ca03bd --- /dev/null +++ b/hosts/lab/fail2ban.nix @@ -0,0 +1,61 @@ +{ ... }: +{ + services.fail2ban = { + enable = true; + maxretry = 5; + bantime = "1h"; + bantime-increment = { + enable = true; + maxtime = "168h"; + overalljails = true; + }; + ignoreIP = [ "127.0.0.1/8" "::1" ]; + + jails = { + # SSH jail auto-created by NixOS — just tighten the limits + sshd.settings = { + maxretry = 3; + findtime = "15m"; + }; + + forgejo.settings = { + enabled = true; + port = "http,https,4201"; + filter = "forgejo"; + backend = "systemd"; + journalmatch = "_SYSTEMD_UNIT=forgejo.service"; + maxretry = 5; + findtime = "10m"; + }; + + caddy-status.settings = { + enabled = true; + port = "http,https"; + filter = "caddy-status"; + backend = "systemd"; + journalmatch = "_SYSTEMD_UNIT=caddy.service"; + maxretry = 10; + findtime = "10m"; + }; + }; + }; + + # Enable Caddy access logging (to journal via stderr) + services.caddy.globalConfig = '' + servers { + logs + } + ''; + + environment.etc."fail2ban/filter.d/forgejo.conf".text = '' + [Definition] + failregex = ^.*Failed authentication attempt for .* from + ignoreregex = + ''; + + environment.etc."fail2ban/filter.d/caddy-status.conf".text = '' + [Definition] + failregex = ^.*"client_ip":"".*"status":\s*(401|403) + ignoreregex = + ''; +} From 3bc8264d276e874e79d50582f1d131e76597487e Mon Sep 17 00:00:00 2001 From: lew Date: Tue, 7 Apr 2026 14:28:48 +0100 Subject: [PATCH 2/2] feat: uptime kuma on status.* --- hosts/lab/default.nix | 1 + hosts/lab/uptime-kuma.nix | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 hosts/lab/uptime-kuma.nix diff --git a/hosts/lab/default.nix b/hosts/lab/default.nix index fdc0d90..247bf04 100644 --- a/hosts/lab/default.nix +++ b/hosts/lab/default.nix @@ -8,6 +8,7 @@ ./forgejo.nix ./wynne.nix ./fail2ban.nix + ./uptime-kuma.nix ]; networking.hostName = "lab"; diff --git a/hosts/lab/uptime-kuma.nix b/hosts/lab/uptime-kuma.nix new file mode 100644 index 0000000..6d6cce8 --- /dev/null +++ b/hosts/lab/uptime-kuma.nix @@ -0,0 +1,27 @@ +{ ... }: +{ + services.caddy.virtualHosts."status.ily.rs" = { + extraConfig = '' + reverse_proxy localhost:3001 + encode zstd gzip + ''; + }; + + services.caddy.virtualHosts."status.wynne.rs" = { + extraConfig = '' + redir https://status.ily.rs{uri} permanent + ''; + }; + + virtualisation.oci-containers.containers.uptime-kuma = { + image = "louislam/uptime-kuma:1"; + podman.user = "podman"; + volumes = [ + "/srv/uptime-kuma/data:/app/data" + ]; + ports = [ "127.0.0.1:3001:3001" ]; + }; + + # Workaround for NixOS/nixpkgs#410857 until backport of #475089 lands + systemd.services.podman-uptime-kuma.serviceConfig.Delegate = true; +}