Add fail2ban jail and filter for Vaultwarden

2026-04-13 11:56:25 +02:00 · 2026-04-13 11:56:25 +02:00 · 6921b62c6b
commit 6921b62c6b
parent d9512be620
1 changed files with 20 additions and 0 deletions
--- a/heimserver/configuration.nix
+++ b/heimserver/configuration.nix
@ -367,6 +367,19 @@
          findtime = 600;
        };
      };
+      "vaultwarden" = {
+        settings = {
+          enabled = true;
+          filter = "vaultwarden";
+          backend = "systemd"; # Crucial: Reads from journalctl
+          # Optimizes performance by only looking at logs with this identifier
+          # Based on your log: "heimserver immich[...]" -> identifier is "immich"
+          journalmatch = "_SYSTEMD_UNIT=vaultwarden.service + SYSLOG_IDENTIFIER=vaultwarden";
+          action = "iptables-allports";
+          maxretry = 5;
+          findtime = 600;
+        };
+      };
    };
  };

@ -387,6 +400,13 @@

    ignoreregex =
  '';
+  
+  environment.etc."fail2ban/filter.d/vaultwarden.local".text = ''
+    [Definition]
+    failregex = .*Username or password is incorrect\. Try again\. IP: <HOST>\. Username: .*
+
+    ignoreregex =
+  '';

  environment.etc."magic-update-script.sh".text = ''
    #!/usr/bin/env bash