den
1{lib, ...}: {
2 den.aspects.services.provides.forgejo.nixos = {config, ...}:
3 lib.mkIf config.services.fail2ban.enable {
4 services.fail2ban.jails.forgejo-ssh = {
5 settings = {
6 filter = "forgejo-ssh";
7 action = "iptables-allports";
8 mode = "aggressive";
9 maxretry = 3;
10 findtime = 3600;
11 bantime = 900;
12 };
13 };
14 environment.etc."fail2ban/filter.d/forgejo-ssh.conf".text = ''
15 [Definition]
16 failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>$
17 journalmatch = _SYSTEMD_UNIT=forgejo.service
18 '';
19 };
20}