feat: set up fail2ban for forgejo

hosts/raptus/default.nix

@@ -14,6 +14,7 @@ in
     ./disk-config.nix
     ./forgejo.nix
     ./headscale
+    ./fail2ban.nix
   ];
 
   age.secrets = {
@@ -74,12 +75,15 @@ in
 
   services.headscale.enable = true;
 
-  networking.firewall = lib.mkForce {
+  networking = {
-    enable = true;
+    nftables.enable = true;
-    allowedTCPPorts = [
+    firewall = lib.mkForce {
-      80 # for acme challenges
+      enable = true;
-      443
+      allowedTCPPorts = [
-    ] ++ [ config.services.endlessh.port ];
+        80 # for acme challenges
+        443
+      ] ++ [ config.services.endlessh.port ];
+    };
   };
 
   age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

hosts/raptus/fail2ban.nix

@@ -0,0 +1,25 @@
+{ pkgs, ... }:
+{
+  config = {
+    services.fail2ban = {
+      enable = true;
+
+      extraPackages = with pkgs; [ nftables ];
+      maxretry = 5;
+      bantime = "10m";
+      ignoreIP = [
+        "100.64.0.0/16" # Tailscale
+      ];
+
+      banaction = "nftables-multiport";
+      banaction-allports = "nftables-allports";
+
+      bantime-increment = {
+        enable = true;
+        multipliers = "2 8 32 128 512 2048";
+        maxtime = "2400h"; # 100 days
+        overalljails = true; # Calculate the bantime based on all the violations
+      };
+    };
+  };
+}

hosts/raptus/forgejo.nix

@@ -28,6 +28,7 @@ in
         extraConfig = ''
           proxy_ssl_server_name on;
           proxy_pass_header Authorization;
+          proxy_set_header X-Real-IP $remote_addr;
         '';
       };
       forceSSL = true;
@@ -39,6 +40,7 @@ in
   services.forgejo = {
     enable = true;
     package = pkgs.forgejo;
+
     settings = {
       server = {
         SSH_PORT = 2222;
@@ -55,7 +57,7 @@ in
         DISABLE_REGISTRATION = true;
       };
       packages.ENABLED = false;
-      log.LEVEL = "Debug";
+      log.LEVEL = "Info";
       session = {
         COOKIE_SECURE = true;
         SAME_SITE = "strict";
@@ -72,6 +74,8 @@ in
         MIN_PASSWORD_LENGTH = 30;
         PASSWORD_COMPLEXITY = "lower, upper, digit, spec";
         PASSWORD_CHECK_PWN = true;
+        REVERSE_PROXY_LIMIT = 1;
+        REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.1";
       };
 
       repository = {
@@ -91,4 +95,23 @@ in
     };
   };
 
+  environment.etc = {
+    "fail2ban/filter.d/forgejo-authentication.conf".text = # ini
+      ''
+        # forgejo
+        [Definition]
+        failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+        ignoreregex =
+        journalmatch = _SYSTEMD_UNIT=forgejo.service
+      '';
+  };
+
+  services.fail2ban.jails.forgejo.settings = {
+    enabled = true;
+    filter = "forgejo-authentication";
+    action = "nftables-allports";
+    mode = "aggressive";
+    maxretry = 5;
+    findtime = 600;
+  };
 }

hosts/raptus/headscale/acls.nix

@@ -39,7 +39,7 @@ in
           [
             "tag:guest"
           ]
-          [ "paperless.ccnlc.eu:443" "immich.ccnlc.eu:443" ]
+          [ "100.64.0.4:443" ]
         )
       ];
 

hosts/shan/default.nix

@@ -130,7 +130,13 @@
   };
 
   services = {
-    openssh.enable = true;
+    openssh = {
+      enable = true;
+      startWhenNeeded = true;
+      settings = {
+        PasswordAuthentication = false;
+      };
+    };
 
     jellyfin = {
       enable = true;