fail2ban: implement for gitea

2026-01-20 14:39:29 -05:00
parent 0214621a58
commit ba45743ea0
1 changed files with 15 additions and 0 deletions
--- a/services/gitea.nix
+++ b/services/gitea.nix
@@ -58,4 +58,19 @@
  };

  services.openssh.settings.AllowUsers = [ config.services.gitea.user ];
+
+  # Protect Gitea login from brute force attacks
+  services.fail2ban.jails.gitea = {
+    enabled = true;
+    settings = {
+      backend = "systemd";
+      port = "http,https";
+      # defaults: maxretry=5, findtime=10m, bantime=10m
+    };
+    filter.Definition = {
+      failregex = ''^.*Failed authentication attempt for .* from <HOST>:.*$'';
+      ignoreregex = "";
+      journalmatch = "_SYSTEMD_UNIT=gitea.service";
+    };
+  };
 }