57 lines
1.4 KiB
Nix
57 lines
1.4 KiB
Nix
{ ... }:
|
|
{
|
|
services.fail2ban = {
|
|
enable = true;
|
|
maxretry = 5;
|
|
bantime = "1h";
|
|
bantime-increment = {
|
|
enable = true;
|
|
maxtime = "168h";
|
|
overalljails = true;
|
|
};
|
|
ignoreIP = [ "127.0.0.1/8" "::1" ];
|
|
|
|
jails = {
|
|
# SSH jail auto-created by NixOS — just tighten the limits
|
|
sshd.settings = {
|
|
maxretry = 3;
|
|
findtime = "15m";
|
|
};
|
|
|
|
forgejo.settings = {
|
|
enabled = true;
|
|
port = "http,https,4201";
|
|
filter = "forgejo";
|
|
backend = "systemd";
|
|
journalmatch = "_SYSTEMD_UNIT=forgejo.service";
|
|
maxretry = 5;
|
|
findtime = "10m";
|
|
};
|
|
|
|
caddy-status.settings = {
|
|
enabled = true;
|
|
port = "http,https";
|
|
filter = "caddy-status";
|
|
backend = "systemd";
|
|
journalmatch = "_SYSTEMD_UNIT=caddy.service";
|
|
maxretry = 10;
|
|
findtime = "10m";
|
|
};
|
|
};
|
|
};
|
|
|
|
# Each virtualHost already has a `log` block for access logging.
|
|
# The global `servers { logs }` directive was removed in Caddy 2.11.
|
|
|
|
environment.etc."fail2ban/filter.d/forgejo.conf".text = ''
|
|
[Definition]
|
|
failregex = ^.*Failed authentication attempt for .* from <HOST>
|
|
ignoreregex =
|
|
'';
|
|
|
|
environment.etc."fail2ban/filter.d/caddy-status.conf".text = ''
|
|
[Definition]
|
|
failregex = ^.*"client_ip":"<HOST>".*"status":\s*(401|403)
|
|
ignoreregex =
|
|
'';
|
|
}
|