feat: uptime kuma on status.*

feat: fail2ban
2026-04-07 14:28:48 +01:00 · 2026-04-07 14:28:39 +01:00
3 changed files with 90 additions and 0 deletions
--- a/hosts/lab/default.nix
+++ b/hosts/lab/default.nix
@ -7,6 +7,8 @@
    ./dokuwiki.nix
    ./forgejo.nix
    ./wynne.nix
    ./fail2ban.nix
    ./uptime-kuma.nix
  ];
  networking.hostName = "lab";
--- a/hosts/lab/fail2ban.nix
+++ b/hosts/lab/fail2ban.nix
@ -0,0 +1,61 @@
 { ... }:
 {
  services.fail2ban = {
    enable = true;
    maxretry = 5;
    bantime = "1h";
    bantime-increment = {
      enable = true;
      maxtime = "168h";
      overalljails = true;
    };
    ignoreIP = [ "127.0.0.1/8" "::1" ];
    jails = {
      # SSH jail auto-created by NixOS — just tighten the limits
      sshd.settings = {
        maxretry = 3;
        findtime = "15m";
      };
      forgejo.settings = {
        enabled = true;
        port = "http,https,4201";
        filter = "forgejo";
        backend = "systemd";
        journalmatch = "_SYSTEMD_UNIT=forgejo.service";
        maxretry = 5;
        findtime = "10m";
      };
      caddy-status.settings = {
        enabled = true;
        port = "http,https";
        filter = "caddy-status";
        backend = "systemd";
        journalmatch = "_SYSTEMD_UNIT=caddy.service";
        maxretry = 10;
        findtime = "10m";
      };
    };
  };
  # Enable Caddy access logging (to journal via stderr)
  services.caddy.globalConfig = ''
    servers {
      logs
    }
  '';
  environment.etc."fail2ban/filter.d/forgejo.conf".text = ''
    [Definition]
    failregex = ^.*Failed authentication attempt for .* from <HOST>
    ignoreregex =
  '';
  environment.etc."fail2ban/filter.d/caddy-status.conf".text = ''
    [Definition]
    failregex = ^.*"client_ip":"<HOST>".*"status":\s*(401|403)
    ignoreregex =
  '';
 }
--- a/hosts/lab/uptime-kuma.nix
+++ b/hosts/lab/uptime-kuma.nix
@ -0,0 +1,27 @@
 { ... }:
 {
  services.caddy.virtualHosts."status.ily.rs" = {
    extraConfig = ''
      reverse_proxy localhost:3001
      encode zstd gzip
    '';
  };
  services.caddy.virtualHosts."status.wynne.rs" = {
    extraConfig = ''
      redir https://status.ily.rs{uri} permanent
    '';
  };
  virtualisation.oci-containers.containers.uptime-kuma = {
    image = "louislam/uptime-kuma:1";
    podman.user = "podman";
    volumes = [
      "/srv/uptime-kuma/data:/app/data"
    ];
    ports = [ "127.0.0.1:3001:3001" ];
  };
  # Workaround for NixOS/nixpkgs#410857 until backport of #475089 lands
  systemd.services.podman-uptime-kuma.serviceConfig.Delegate = true;
 }
Author	SHA1	Message	Date
lew	3bc8264d27	feat: uptime kuma on status.*	2026-04-07 14:28:48 +01:00
lew	c3ef189799	feat: fail2ban	2026-04-07 14:28:39 +01:00