lib: add mkCaddyReverseProxy, mkFail2banJail, mkGrafanaAnnotationService, extractArrApiKey

2026-04-09 19:00:47 -04:00
parent c74d356595
commit 75319256f3
23 changed files with 221 additions and 180 deletions
--- a/services/gitea.nix
+++ b/services/gitea.nix
@@ -11,6 +11,14 @@
    (lib.serviceFilePerms "gitea" [
      "Z ${config.services.gitea.stateDir} 0700 ${config.services.gitea.user} ${config.services.gitea.group}"
    ])
+    (lib.mkCaddyReverseProxy {
+      domain = service_configs.gitea.domain;
+      port = service_configs.ports.private.gitea.port;
+    })
+    (lib.mkFail2banJail {
+      name = "gitea";
+      failregex = "^.*Failed authentication attempt for .* from <HOST>:.*$";
+    })
  ];

  services.gitea = {
@@ -41,10 +49,6 @@
    };
  };

-  services.caddy.virtualHosts."${service_configs.gitea.domain}".extraConfig = ''
-    reverse_proxy :${builtins.toString config.services.gitea.settings.server.HTTP_PORT}
-  '';
-
  services.postgresql = {
    ensureDatabases = [ config.services.gitea.user ];
    ensureUsers = [
@@ -58,18 +62,4 @@

  services.openssh.settings.AllowUsers = [ config.services.gitea.user ];

-  # Protect Gitea login from brute force attacks
-  services.fail2ban.jails.gitea = {
-    enabled = true;
-    settings = {
-      backend = "systemd";
-      port = "http,https";
-      # defaults: maxretry=5, findtime=10m, bantime=10m
-    };
-    filter.Definition = {
-      failregex = "^.*Failed authentication attempt for .* from <HOST>:.*$";
-      ignoreregex = "";
-      journalmatch = "_SYSTEMD_UNIT=gitea.service";
-    };
-  };
 }