services: vaultwarden: add fail2ban jail

Signed-off-by: Christoph Heiss <christoph@c8h4.io>
2024-08-19 10:39:58 +02:00 · 2024-08-19 10:39:58 +02:00 · b4c458e11a
parent e373b1aa98
commit b4c458e11a
1 changed files with 21 additions and 0 deletions
--- a/services/vaultwarden.nix
+++ b/services/vaultwarden.nix
@ -41,4 +41,25 @@ in {
        '';
      };
    };
+
+  services.fail2ban.jails.vaultwarden =
+    lib.mkIf config.services.fail2ban.enable {
+      filter = {
+        INCLUDES.before = "common.conf";
+        Definition = {
+          failregex =
+            "^.*?Username or password is incorrect. Try again. IP: <ADDR>. Username:.*$";
+          ignoreregex = "";
+        };
+      };
+      settings = {
+        enabled = true;
+        backend = "systemd";
+        journalmatch = "_SYSTEMD_UNIT=vaultwarden.service + _COMM=vaultwarden";
+        port = "http,https";
+        filter = "vaultwarden";
+        bantime = "48h";
+        findtime = "4h";
+      };
+    };
 }