commit 2e847423f94665fd326d5b42e87bbf7040a3e156 · aylac.top/nixcfg-own-knot

+1 -20

modules/nixos/services/fail2ban/default.nix

···

       19
       19
        
         options.myNixOS.services.fail2ban.enable = lib.mkEnableOption "fail2ban";

     

       20
       20
        
       

     

       21
       21
        
         config = lib.mkIf config.myNixOS.services.fail2ban.enable {

     

       22
       22
       -
           age.secrets = {

     

       23
       23
       -
             cloudflareFail2ban.file = "${self.inputs.secrets}/cloudflare/fail2ban.age";

     

       24
       24
       -
           };

     

       22
       22
       +
           age.secrets.cloudflareFail2ban.file = "${self.inputs.secrets}/cloudflare/fail2ban.age";

     

       25
       23
        
       

     

       26
       24
        
           environment.etc = {

     

       27
       25
        
             "fail2ban/action.d/mycloudflare.conf" = {

     
···

       45
       43
        
               }}

     

       46
       44
        
             '';

     

       47
       45
        
       

     

       48
       48
       -
             "fail2ban/filter.d/forgejo.conf".text = ''

     

       49
       49
       -
               [Definition]

     

       50
       50
       -
               failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>

     

       51
       51
       -
               journalmatch = _SYSTEMD_UNIT=forgejo.service

     

       52
       52
       -
             '';

     

       53
       53
       -
       

     

       54
       46
        
             "fail2ban/filter.d/vaultwarden.conf".text = ''

     

       55
       47
        
               [INCLUDES]

     

       56
       48
        
               before = common.conf

     
···

       79
       71
        
             bantime-increment.enable = true;

     

       80
       72
        
             extraPackages = [pkgs.curl pkgs.jq pkgs.uutils-coreutils-noprefix];

     

       81
       73
        
             jails = {

     

       82
       82
       -
               forgejo.settings = {

     

       83
       83
       -
                 action = ''

     

       84
       84
       -
                   mycloudflare

     

       85
       85
       -
                     iptables-allports

     

       86
       86
       -
                     ntfy'';

     

       87
       87
       -
                 bantime = 900;

     

       88
       88
       -
                 filter = "forgejo";

     

       89
       89
       -
                 findtime = 3600;

     

       90
       90
       -
                 maxretry = 4;

     

       91
       91
       -
               };

     

       92
       92
       -
       

     

       93
       74
        
               # HTTP basic-auth failures, 5 tries → 1-day ban

     

       94
       75
        
               nginx-http-auth = {

     

       95
       76
        
                 settings = {

+65

modules/nixos/services/forgejo/default.nix

···

       3
       3
        
         config,

     

       4
       4
        
         lib,

     

       5
       5
        
         pkgs,

     

       6
       6
       +
         self,

     

       6
       7
        
         ...

     

       7
       8
        
       }: let

     

       8
       9
        
         name = "forgejo";

     
···

       10
       11
        
       

     

       11
       12
        
         network = config.mySnippets.aylac-top;

     

       12
       13
        
         service = network.networkMap.${name};

     

       14
       14
       +
       

     

       15
       15
       +
         mkNotify = {

     

       16
       16
       +
           message,

     

       17
       17
       +
           channel,

     

       18
       18
       +
           priority ? 1,

     

       19
       19
       +
         }: ''

     

       20
       20
       +
           curl -u $(cat "${config.age.secrets.ntfyAuto.path}") \

     

       21
       21
       +
             -H "X-Priority: ${toString priority}" \

     

       22
       22
       +
             -d '${message}' \

     

       23
       23
       +
             https://${config.mySnippets.aylac-top.networkMap.ntfy.vHost}/${channel}

     

       24
       24
       +
         '';

     

       13
       25
        
       in {

     

       14
       26
        
         options.myNixOS.services.${name} = {

     

       15
       27
        
           enable = lib.mkEnableOption "forgejo git forge";

     
···

       29
       41
        
         };

     

       30
       42
        
       

     

       31
       43
        
         config = lib.mkIf cfg.enable {

     

       44
       44
       +
           age.secrets.cloudflareFail2ban.file = "${self.inputs.secrets}/cloudflare/fail2ban.age";

     

       45
       45
       +
       

     

       32
       46
        
           services.cloudflared.tunnels."${network.cloudflareTunnel}".ingress = lib.mkIf cfg.autoProxy {

     

       33
       47
        
             "${service.vHost}" = "http://${service.hostName}:${toString service.port}";

     

       34
       48
        
           };

     
···

       40
       54
        
       

     

       41
       55
        
           containers.forgejo = {

     

       42
       56
        
             autoStart = true;

     

       57
       57
       +
             bindMounts = {

     

       58
       58
       +
               "${config.age.secrets.cloudflareFail2ban.path}".isReadOnly = true;

     

       59
       59
       +
               "${config.age.secrets.ntfyAuto.path}".isReadOnly = true;

     

       60
       60
       +
             };

     

       43
       61
        
       

     

       44
       62
        
             config = {

     

       45
       63
        
               services = {

     
···

       134
       152
        
                     };

     

       135
       153
        
                   };

     

       136
       154
        
                 };

     

       155
       155
       +
       

     

       156
       156
       +
                 fail2ban = {

     

       157
       157
       +
                   enable = true;

     

       158
       158
       +
                   ignoreIP = ["100.64.0.0/10"];

     

       159
       159
       +
                   bantime = "24h";

     

       160
       160
       +
                   bantime-increment.enable = true;

     

       161
       161
       +
                   extraPackages = [pkgs.curl pkgs.jq pkgs.uutils-coreutils-noprefix];

     

       162
       162
       +
                   jails.forgejo.settings = {

     

       163
       163
       +
                     action = ''

     

       164
       164
       +
                       mycloudflare

     

       165
       165
       +
                         iptables-allports

     

       166
       166
       +
                         ntfy'';

     

       167
       167
       +
                     bantime = 900;

     

       168
       168
       +
                     filter = "forgejo";

     

       169
       169
       +
                     findtime = 3600;

     

       170
       170
       +
                     maxretry = 4;

     

       171
       171
       +
                   };

     

       172
       172
       +
                 };

     

       173
       173
       +
               };

     

       174
       174
       +
       

     

       175
       175
       +
               environment.etc = {

     

       176
       176
       +
                 "fail2ban/action.d/mycloudflare.conf" = {

     

       177
       177
       +
                   user = "root";

     

       178
       178
       +
                   group = "root";

     

       179
       179
       +
                   mode = "0640";

     

       180
       180
       +
                   source = config.age.secrets.cloudflareFail2ban.path;

     

       181
       181
       +
                 };

     

       182
       182
       +
       

     

       183
       183
       +
                 "fail2ban/action.d/ntfy.conf".text = ''

     

       184
       184
       +
                   [Definition]

     

       185
       185
       +
                   actionban = ${mkNotify {

     

       186
       186
       +
                     message = "Arrested <ip> for trying to rob <name> at ${config.networking.hostName}";

     

       187
       187
       +
                     channel = "fail2ban";

     

       188
       188
       +
                     priority = 3;

     

       189
       189
       +
                   }}

     

       190
       190
       +
                   actionunban = ${mkNotify {

     

       191
       191
       +
                     message = "Released <ip> from the jail at ${config.networking.hostName}";

     

       192
       192
       +
                     channel = "fail2ban";

     

       193
       193
       +
                     priority = 2;

     

       194
       194
       +
                   }}

     

       195
       195
       +
                 '';

     

       196
       196
       +
       

     

       197
       197
       +
                 "fail2ban/filter.d/forgejo.conf".text = ''

     

       198
       198
       +
                   [Definition]

     

       199
       199
       +
                   failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>

     

       200
       200
       +
                   journalmatch = _SYSTEMD_UNIT=forgejo.service

     

       201
       201
       +
                 '';

     

       137
       202
        
               };

     

       138
       203
        
       

     

       139
       204
        
               systemd.services.forgejo = lib.mkIf (cfg.db