diff --git a/services/fail2ban.nix b/services/fail2ban.nix index fe6de25..e6190b5 100755 --- a/services/fail2ban.nix +++ b/services/fail2ban.nix @@ -28,23 +28,44 @@ jellyfin = lib.mkIf config.services.jellyfin.enable { settings = { filter = "jellyfin"; - backend = "auto"; + backend = "systemd"; enabled = true; - port = "8096,8920"; - maxretry = 3; - bantime = 86400; - findtime = 43200; - logpath = "/var/lib/jellyfin/log/*.log"; + port = "80,443"; + maxretry = 8; + bantime = "24h"; + findtime = "30m"; + journalmatch = "_SYSTEMD_UNIT=jellyfin.service"; + # logpath = "/var/lib/jellyfin/log/*.log"; + }; + }; + + forgejo = lib.mkIf config.services.forgejo.enable { + settings = { + filter = "forgejo"; + backend = "systemd"; + enabled = true; + port = "80,443"; + maxretry = 8; + bantime = "24h"; + findtime = "30m"; + journalmatch = "_SYSTEMD_UNIT=forgejo.service"; + # logpath = "/var/lib/forgejo/log/*.log"; }; }; }; }; environment.etc = { + # Jellyfin "fail2ban/filter.d/jellyfin.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' [Definition] failregex = ^.*Authentication request for .* has been denied \(IP: \)\. ''); + # Forgejo + "fail2ban/filter.d/forgejo.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [Definition] + failregex = ^.*Failed authentication attempt for .* from .*$ + ''); # Defines a filter that detects URL probing by reading the Nginx access log "fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' [Definition] diff --git a/services/forgejo.nix b/services/forgejo.nix index 67793ac..ac3ca19 100755 --- a/services/forgejo.nix +++ b/services/forgejo.nix @@ -17,11 +17,6 @@ in { ENABLE_PUSH_CREATE_USER = true; }; - log = { - MODE = "file"; - LEVEL = "info"; - }; - server = { DOMAIN = "git.spoodythe.one"; HTTP_PORT = port;