Add Fail2ban to Gitea and Bitwarden

2022-05-28 02:31:41 -04:00 · 2022-05-28 02:31:41 -04:00 · b52ccabd22
commit b52ccabd22
parent eccd6b7874
8 changed files with 63 additions and 1 deletions
--- a/roles/base/handlers/main.yml
+++ b/roles/base/handlers/main.yml
@ -10,3 +10,9 @@
    name: wg-quick@wg0
    state: restarted
  listen: restart_wireguard
+
+- name: Restart Fail2ban
+  service:
+    name: fail2ban
+    state: restarted
+  listen: restart_fail2ban
--- a/roles/base/tasks/firewall.yml
+++ b/roles/base/tasks/firewall.yml
@ -3,6 +3,11 @@
    name: ufw
    state: present

+- name: Install Fail2ban
+  apt:
+    name: fail2ban
+    state: present
+
 - name: Deny incoming traffic by default
  ufw:
    default: deny
--- a/roles/bitwarden/tasks/main.yml
+++ b/roles/bitwarden/tasks/main.yml
@ -78,6 +78,12 @@
  register: bitwarden_systemd
  notify: rebuild_bitwarden

+- name: Install Bitwarden's Fail2ban jail
+  template:
+    src: fail2ban-jail.conf.j2
+    dest: /etc/fail2ban/jail.d/bitwarden.conf
+  notify: restart_fail2ban
+
 - name: Reload systemd manager configuration
  systemd:
    daemon_reload: true
--- a/roles/bitwarden/templates/fail2ban-jail.conf.j2
+++ b/roles/bitwarden/templates/fail2ban-jail.conf.j2
@ -0,0 +1,9 @@
+# {{ ansible_managed }}
+[bitwarden]
+enabled = true
+filter = bitwarden
+logpath = /var/lib/bitwarden/bwdata/logs/identity/Identity/*
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@ -81,6 +81,18 @@
    dest: "{{ gitea_root }}/.env"
  notify: restart_gitea

+- name: Install Gitea's Fail2ban filter
+  template:
+    src: fail2ban-filter.conf.j2
+    dest: /etc/fail2ban/filter.d/gitea.conf
+  notify: restart_fail2ban
+
+- name: Install Gitea's Fail2ban jail
+  template:
+    src: fail2ban-jail.conf.j2
+    dest: /etc/fail2ban/jail.d/gitea.conf
+  notify: restart_fail2ban
+
 - name: Start and enable Gitea service
  service:
    name: "{{ docker_compose_service }}@{{ gitea_name }}"
--- a/roles/gitea/templates/docker-compose.yml.j2
+++ b/roles/gitea/templates/docker-compose.yml.j2
@ -12,6 +12,7 @@ services:
    environment:
      - USER_UID={{ getent_passwd.git[1] }}
      - USER_GID={{ getent_group.git[1] }}
+      - GITEA__log__MODE=file
      - GITEA__server__ROOT_URL=${gitea_rooturl}
      - GITEA__server__DOMAIN=${gitea_domain}
      - GITEA__server__SSH_DOMAIN=${gitea_domain}
@ -25,7 +26,8 @@ services:
      - GITEA__service__DISABLE_REGISTRATION=${gitea_disable_registration}
    volumes:
      - {{ gitea_volume }}:/data
-      - /home/git/.ssh/:/data/git/.ssh
+      - /home/git/.ssh:/data/git/.ssh
+      - /var/log/gitea:/data/gitea/log
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro

--- a/roles/gitea/templates/fail2ban-filter.conf.j2
+++ b/roles/gitea/templates/fail2ban-filter.conf.j2
@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+[Definition]
+failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+ignoreregex =
--- a/roles/gitea/templates/fail2ban-jail.conf.j2
+++ b/roles/gitea/templates/fail2ban-jail.conf.j2
@ -0,0 +1,18 @@
+# {{ ansible_managed }}
+[gitea]
+enabled = true
+filter = gitea
+logpath = /var/log/gitea/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports
+
+[gitea-docker]
+enabled = true
+filter = gitea
+logpath = /var/log/gitea/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports[chain="FORWARD"]