Start adding fail2ban to server config

2023-05-16 11:04:48 +01:00 · 2023-05-16 11:04:48 +01:00 · 62868f9906
parent 0c59117518
commit 62868f9906
5 changed files with 30 additions and 7 deletions
--- a/home/desktop/waybar.nix
+++ b/home/desktop/waybar.nix
@ -4,10 +4,12 @@
    (nerdfonts.override { fonts = [ "FiraCode" ]; })
    bluez
  ];
-  # xdg.configFile."waybar/common.json".source = ./config/waybar/common.json;
  xdg.configFile."waybar" = {
    source = ./config/waybar;
    recursive = true;
  };
-  programs.waybar.enable = true;
+  programs.waybar = {
+    enable = true;
+    systemd.enable = true;
+  };
 }
--- a/home/ssh/common.nix
+++ b/home/ssh/common.nix
@ -7,6 +7,9 @@
    serverAliveCountMax = 3;
    controlMaster = "auto";
    controlPersist = "1s";
-    matchBlocks."git.*".user = "git";
+    matchBlocks = {
+      "git.*".user = "git";
+      "xenia.me.uk" = { user = "git"; port = 2222; };
+    };
  };
 }
--- a/home/ssh/personal.nix
+++ b/home/ssh/personal.nix
@ -4,7 +4,7 @@
  programs.ssh.matchBlocks = {
    "legion" = { port = 30; };
    "vanguard" = { hostname = "192.168.1.166"; port = 22; };
-    "legion vanguard xenia.me.uk" = lib.hm.dag.entryAfter [ "legion" "vanguard" ] {
+    "legion vanguard" = lib.hm.dag.entryAfter [ "legion" "vanguard" ] {
      user = "root";
      forwardAgent = true;
    };
--- a/server/fail2ban.nix
+++ b/server/fail2ban.nix
@ -0,0 +1,8 @@
+{ ... }:
+{
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [ "127.0.0.1/8" "::1" "192.168.1.0/16" ];
+    bantime-increment = { enable = true; };
+  };
+}
--- a/server/gitea.nix
+++ b/server/gitea.nix
@ -1,10 +1,20 @@
 { ... }:
 {
-  imports = [ ./traefik.nix ];
-  services.gitea.enable = true;
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  imports = [ ./traefik.nix ./fail2ban.nix ];
+  services.gitea = {
+    enable = true;
+    settings = {
+      server = { DOMAIN = "git.xenia.me.uk"; SSH_PORT = 2222; };
+      log.MODE = "file";
+    };
+    appName = "Gitea";
+  };
+  networking.firewall.allowedTCPPorts = [ 80 443 2222 ];
  services.traefik.dynamicConfigOptions.http = {
    routers.gitea = { rule = "Host(`git.xenia.me.uk`)"; service = "gitea-websecure"; tls = { certResolver = "default"; }; };
    services.gitea-websecure.loadBalancer.servers = [{ url = "http://localhost:3000"; }];
  };
+  # services.fail2ban.jails.gitea = ''
+  #
+  # '';
 }