Simon Gardling
da6b4d1915
- Add explicit iptables banaction in security.nix for test compatibility - Force IPv4 in all curl requests to prevent IPv4/IPv6 mismatch issues - Fix caddy test: use basic_auth directive (not basicauth) - Override service ports in tests to match direct connections (not via Caddy) - Vaultwarden: override ROCKET_ADDRESS and ROCKET_LOG for external access - Immich: increase VM memory to 4GB for stability - Jellyfin: create placeholder log file and reload fail2ban after startup - Add tests.nix entries for all 6 fail2ban tests All tests now pass: ssh, caddy, gitea, vaultwarden, immich, jellyfin
38 lines
739 B
Nix
38 lines
739 B
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
|
|
{
|
|
# memory allocator
|
|
# BREAKS REDIS-IMMICH
|
|
# environment.memoryAllocator.provider = "graphene-hardened";
|
|
|
|
# disable coredumps
|
|
systemd.coredump.enable = false;
|
|
|
|
services = {
|
|
dbus.implementation = "broker";
|
|
/*
|
|
logrotate.enable = true;
|
|
journald = {
|
|
storage = "volatile"; # Store logs in memory
|
|
upload.enable = false; # Disable remote log upload (the default)
|
|
extraConfig = ''
|
|
SystemMaxUse=500M
|
|
SystemMaxFileSize=50M
|
|
'';
|
|
};
|
|
*/
|
|
};
|
|
|
|
services.fail2ban = {
|
|
enable = true;
|
|
# Use iptables actions for compatibility
|
|
banaction = "iptables-multiport";
|
|
banaction-allports = "iptables-allports";
|
|
};
|
|
}
|