Add Fail2ban to Gitea and Bitwarden

roles/gitea/tasks/main.yml

@@ -81,6 +81,18 @@
     dest: "{{ gitea_root }}/.env"
   notify: restart_gitea
 
+- name: Install Gitea's Fail2ban filter
+  template:
+    src: fail2ban-filter.conf.j2
+    dest: /etc/fail2ban/filter.d/gitea.conf
+  notify: restart_fail2ban
+
+- name: Install Gitea's Fail2ban jail
+  template:
+    src: fail2ban-jail.conf.j2
+    dest: /etc/fail2ban/jail.d/gitea.conf
+  notify: restart_fail2ban
+
 - name: Start and enable Gitea service
   service:
     name: "{{ docker_compose_service }}@{{ gitea_name }}"

roles/gitea/templates/docker-compose.yml.j2

@@ -12,6 +12,7 @@ services:
     environment:
       - USER_UID={{ getent_passwd.git[1] }}
       - USER_GID={{ getent_group.git[1] }}
+      - GITEA__log__MODE=file
       - GITEA__server__ROOT_URL=${gitea_rooturl}
       - GITEA__server__DOMAIN=${gitea_domain}
       - GITEA__server__SSH_DOMAIN=${gitea_domain}
@@ -25,7 +26,8 @@ services:
       - GITEA__service__DISABLE_REGISTRATION=${gitea_disable_registration}
     volumes:
       - {{ gitea_volume }}:/data
-      - /home/git/.ssh/:/data/git/.ssh
+      - /home/git/.ssh:/data/git/.ssh
+      - /var/log/gitea:/data/gitea/log
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
 

roles/gitea/templates/fail2ban-filter.conf.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+[Definition]
+failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+ignoreregex =

roles/gitea/templates/fail2ban-jail.conf.j2

@@ -0,0 +1,18 @@
+# {{ ansible_managed }}
+[gitea]
+enabled = true
+filter = gitea
+logpath = /var/log/gitea/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports
+
+[gitea-docker]
+enabled = true
+filter = gitea
+logpath = /var/log/gitea/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports[chain="FORWARD"]