From add77df77f69efa20d2e98b587840461a3b7b360 Mon Sep 17 00:00:00 2001
From: lew <lew@ily.rs>
Date: Tue, 7 Apr 2026 21:15:32 +0100
Subject: [PATCH 1/2] fix: pin kuma to 2.2.1

---
 hosts/lab/uptime-kuma.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/lab/uptime-kuma.nix b/hosts/lab/uptime-kuma.nix
index 576a195..93e949f 100644
--- a/hosts/lab/uptime-kuma.nix
+++ b/hosts/lab/uptime-kuma.nix
@@ -14,7 +14,7 @@
   };
 
   virtualisation.oci-containers.containers.uptime-kuma = {
-    image = "louislam/uptime-kuma:2";
+    image = "louislam/uptime-kuma:2.2.1";
     podman.user = "podman";
     volumes = [
       "/srv/uptime-kuma/data:/app/data"

From 8c0db938fce787ff2ac63202daaf368c04d41b20 Mon Sep 17 00:00:00 2001
From: lew <lew@ily.rs>
Date: Tue, 7 Apr 2026 21:16:09 +0100
Subject: [PATCH 2/2] refactor: simplifies fail2ban config

---
 hosts/lab/fail2ban.nix | 25 -------------------------
 1 file changed, 25 deletions(-)

diff --git a/hosts/lab/fail2ban.nix b/hosts/lab/fail2ban.nix
index 523bdaf..ac0c690 100644
--- a/hosts/lab/fail2ban.nix
+++ b/hosts/lab/fail2ban.nix
@@ -2,17 +2,13 @@
 {
   services.fail2ban = {
     enable = true;
-    maxretry = 5;
-    bantime = "1h";
     bantime-increment = {
       enable = true;
       maxtime = "168h";
       overalljails = true;
     };
-    ignoreIP = [ "127.0.0.1/8" "::1" ];
 
     jails = {
-      # SSH jail auto-created by NixOS — just tighten the limits
       sshd.settings = {
         maxretry = 3;
         findtime = "15m";
@@ -24,34 +20,13 @@
         filter = "forgejo";
         backend = "systemd";
         journalmatch = "_SYSTEMD_UNIT=forgejo.service";
-        maxretry = 5;
-        findtime = "10m";
-      };
-
-      caddy-status.settings = {
-        enabled = true;
-        port = "http,https";
-        filter = "caddy-status";
-        backend = "systemd";
-        journalmatch = "_SYSTEMD_UNIT=caddy.service";
-        maxretry = 10;
-        findtime = "10m";
       };
     };
   };
 
-  # Each virtualHost already has a `log` block for access logging.
-  # The global `servers { logs }` directive was removed in Caddy 2.11.
-
   environment.etc."fail2ban/filter.d/forgejo.conf".text = ''
     [Definition]
     failregex = ^.*Failed authentication attempt for .* from <HOST>
     ignoreregex =
   '';
-
-  environment.etc."fail2ban/filter.d/caddy-status.conf".text = ''
-    [Definition]
-    failregex = ^.*"client_ip":"<HOST>".*"status":\s*(401|403)
-    ignoreregex =
-  '';
 }