From bb5c2f61ee2e4d8126bdd43575c981d4c0e7da1f Mon Sep 17 00:00:00 2001 From: Nydragon Date: Thu, 9 Jan 2025 13:32:46 +0100 Subject: [PATCH] feat: set up fail2ban for forgejo --- hosts/raptus/default.nix | 16 ++++++++++------ hosts/raptus/fail2ban.nix | 25 +++++++++++++++++++++++++ hosts/raptus/forgejo.nix | 25 ++++++++++++++++++++++++- hosts/raptus/headscale/acls.nix | 2 +- hosts/shan/default.nix | 8 +++++++- 5 files changed, 67 insertions(+), 9 deletions(-) create mode 100644 hosts/raptus/fail2ban.nix diff --git a/hosts/raptus/default.nix b/hosts/raptus/default.nix index a310d0d..0635d14 100644 --- a/hosts/raptus/default.nix +++ b/hosts/raptus/default.nix @@ -14,6 +14,7 @@ in ./disk-config.nix ./forgejo.nix ./headscale + ./fail2ban.nix ]; age.secrets = { @@ -74,12 +75,15 @@ in services.headscale.enable = true; - networking.firewall = lib.mkForce { - enable = true; - allowedTCPPorts = [ - 80 # for acme challenges - 443 - ] ++ [ config.services.endlessh.port ]; + networking = { + nftables.enable = true; + firewall = lib.mkForce { + enable = true; + allowedTCPPorts = [ + 80 # for acme challenges + 443 + ] ++ [ config.services.endlessh.port ]; + }; }; age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; diff --git a/hosts/raptus/fail2ban.nix b/hosts/raptus/fail2ban.nix new file mode 100644 index 0000000..f61a774 --- /dev/null +++ b/hosts/raptus/fail2ban.nix @@ -0,0 +1,25 @@ +{ pkgs, ... }: +{ + config = { + services.fail2ban = { + enable = true; + + extraPackages = with pkgs; [ nftables ]; + maxretry = 5; + bantime = "10m"; + ignoreIP = [ + "100.64.0.0/16" # Tailscale + ]; + + banaction = "nftables-multiport"; + banaction-allports = "nftables-allports"; + + bantime-increment = { + enable = true; + multipliers = "2 8 32 128 512 2048"; + maxtime = "2400h"; # 100 days + overalljails = true; # Calculate the bantime based on all the violations + }; + }; + }; +} diff --git a/hosts/raptus/forgejo.nix b/hosts/raptus/forgejo.nix index 7f09498..cab38b4 100644 --- a/hosts/raptus/forgejo.nix +++ b/hosts/raptus/forgejo.nix @@ -28,6 +28,7 @@ in extraConfig = '' proxy_ssl_server_name on; proxy_pass_header Authorization; + proxy_set_header X-Real-IP $remote_addr; ''; }; forceSSL = true; @@ -39,6 +40,7 @@ in services.forgejo = { enable = true; package = pkgs.forgejo; + settings = { server = { SSH_PORT = 2222; @@ -55,7 +57,7 @@ in DISABLE_REGISTRATION = true; }; packages.ENABLED = false; - log.LEVEL = "Debug"; + log.LEVEL = "Info"; session = { COOKIE_SECURE = true; SAME_SITE = "strict"; @@ -72,6 +74,8 @@ in MIN_PASSWORD_LENGTH = 30; PASSWORD_COMPLEXITY = "lower, upper, digit, spec"; PASSWORD_CHECK_PWN = true; + REVERSE_PROXY_LIMIT = 1; + REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.1"; }; repository = { @@ -91,4 +95,23 @@ in }; }; + environment.etc = { + "fail2ban/filter.d/forgejo-authentication.conf".text = # ini + '' + # forgejo + [Definition] + failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from + ignoreregex = + journalmatch = _SYSTEMD_UNIT=forgejo.service + ''; + }; + + services.fail2ban.jails.forgejo.settings = { + enabled = true; + filter = "forgejo-authentication"; + action = "nftables-allports"; + mode = "aggressive"; + maxretry = 5; + findtime = 600; + }; } diff --git a/hosts/raptus/headscale/acls.nix b/hosts/raptus/headscale/acls.nix index 5d526b0..4ea9a97 100644 --- a/hosts/raptus/headscale/acls.nix +++ b/hosts/raptus/headscale/acls.nix @@ -39,7 +39,7 @@ in [ "tag:guest" ] - [ "paperless.ccnlc.eu:443" "immich.ccnlc.eu:443" ] + [ "100.64.0.4:443" ] ) ]; diff --git a/hosts/shan/default.nix b/hosts/shan/default.nix index 7500f76..ed5677c 100644 --- a/hosts/shan/default.nix +++ b/hosts/shan/default.nix @@ -130,7 +130,13 @@ }; services = { - openssh.enable = true; + openssh = { + enable = true; + startWhenNeeded = true; + settings = { + PasswordAuthentication = false; + }; + }; jellyfin = { enable = true;