net/fail2ban: initial commit

author: Alejandro Soto <alejandro@34project.org> 2024-07-20 22:35:52 -0600
committer: Alejandro Soto <alejandro@34project.org> 2024-07-21 00:19:10 -0600
commit: b1f3d839adc88b024e3a79d09b54a1939b78edba (patch)
tree: 2287680392dd32e6bda4c7e2664dc607727d79c7 /sys/gitea/default.nix
parent: c88f8c51c90c1e48c75047849a42ae0ed6c4aa15 (diff)
1 files changed, 20 insertions, 3 deletions
diff --git a/sys/gitea/default.nix b/sys/gitea/default.nix
index 6096950..69dfbc2 100644
--- a/sys/gitea/default.nix
+++ b/sys/gitea/default.nix
@@ -8,9 +8,26 @@ in
   };
 
   config = mkIf cfg.enable {
-    services.gitea = {
-      enable = true;
-      useWizard = true;
+    environment.etc."fail2ban/filter.d/gitea.local".text = ''
+      [Definition]
+      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+      ignoreregex =
+    '';
+
+    services = {
+      fail2ban.jails.gitea.settings = {
+        filter = "gitea";
+        logpath = "${config.services.gitea.stateDir}/log/gitea.log";
+        maxretry = "10";
+        findtime = "3600";
+        bantime = "900";
+        action = "iptables-allports";
+      };
+
+      gitea = {
+        enable = true;
+        useWizard = true;
+      };
     };
 
     users = {
author	Alejandro Soto <alejandro@34project.org>	2024-07-20 22:35:52 -0600
committer	Alejandro Soto <alejandro@34project.org>	2024-07-21 00:19:10 -0600
commit	b1f3d839adc88b024e3a79d09b54a1939b78edba (patch)
tree	2287680392dd32e6bda4c7e2664dc607727d79c7 /sys/gitea/default.nix
parent	c88f8c51c90c1e48c75047849a42ae0ed6c4aa15 (diff)