forgejo: add fail2ban jail
All checks were successful
flake check / check (push) Successful in 8m4s
fmt check / check (push) Successful in 1m6s
All checks were successful
flake check / check (push) Successful in 8m4s
fmt check / check (push) Successful in 1m6s
This commit is contained in:
parent
e320317d27
commit
ac3f794578
GPG key ID:
BD47506D475EE86D
1 changed files with 20 additions and 0 deletions
|
|
@ -31,6 +31,9 @@
|
||||||
SSH_LISTEN_PORT = 2222;
|
SSH_LISTEN_PORT = 2222;
|
||||||
SSH_LISTEN_HOST = "100.121.201.47";
|
SSH_LISTEN_HOST = "100.121.201.47";
|
||||||
};
|
};
|
||||||
|
session = {
|
||||||
|
COOKIE_SECURE = true;
|
||||||
|
};
|
||||||
database = {
|
database = {
|
||||||
DB_TYPE = lib.mkForce "postgres";
|
DB_TYPE = lib.mkForce "postgres";
|
||||||
HOST = "192.168.1.211:5432";
|
HOST = "192.168.1.211:5432";
|
||||||
|
|
@ -59,4 +62,21 @@
|
||||||
};
|
};
|
||||||
mailerPasswordFile = config.sops.secrets.smtp2go-pwd.path;
|
mailerPasswordFile = config.sops.secrets.smtp2go-pwd.path;
|
||||||
};
|
};
|
||||||
|
services.fail2ban.jails.forgejo = {
|
||||||
|
settings = {
|
||||||
|
filter = "forgejo";
|
||||||
|
action = ''iptables-allports'';
|
||||||
|
mode = "aggressive";
|
||||||
|
maxretry = 3;
|
||||||
|
findtime = 3600;
|
||||||
|
bantime = 900;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
environment.etc = {
|
||||||
|
"fail2ban/filter.d/forgejo.conf".text = ''
|
||||||
|
[Definition]
|
||||||
|
failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>$
|
||||||
|
journalmatch = _SYSTEMD_UNIT=forgejo.service
|
||||||
|
'';
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue