lib: add mkCaddyReverseProxy, mkFail2banJail, mkGrafanaAnnotationService, extractArrApiKey

2026-04-09 19:00:47 -04:00
parent c74d356595
commit 75319256f3
23 changed files with 221 additions and 180 deletions
--- a/services/bitwarden.nix
+++ b/services/bitwarden.nix
@@ -13,6 +13,10 @@
    (lib.serviceFilePerms "vaultwarden" [
      "Z ${service_configs.vaultwarden.path} 0700 vaultwarden vaultwarden"
    ])
+    (lib.mkFail2banJail {
+      name = "vaultwarden";
+      failregex = ''^.*Username or password is incorrect\. Try again\. IP: <HOST>\..*$'';
+    })
  ];

  services.vaultwarden = {
@@ -38,18 +42,4 @@
    }
  '';

-  # Protect Vaultwarden login from brute force attacks
-  services.fail2ban.jails.vaultwarden = {
-    enabled = true;
-    settings = {
-      backend = "systemd";
-      port = "http,https";
-      # defaults: maxretry=5, findtime=10m, bantime=10m
-    };
-    filter.Definition = {
-      failregex = ''^.*Username or password is incorrect\. Try again\. IP: <HOST>\..*$'';
-      ignoreregex = "";
-      journalmatch = "_SYSTEMD_UNIT=vaultwarden.service";
-    };
-  };
 }