chore: update compose submodule for traefik access logs

2026-05-01 03:33:34 +00:00
2 changed files with 29 additions and 33 deletions
--- a/assets/compose
+++ b/assets/compose
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -316,6 +316,7 @@
  networking.firewall = {
    enable = true;
    allowPing = true;
+    defaultAllow = false;
    
    # Only essential ports exposed to internet
    allowedTCPPorts = [
@@ -355,55 +356,50 @@
  # Fail2ban - automatic IP banning
  services.fail2ban = {
    enable = true;
-    maxretry = 3;
-    bantime = "1h";
+    maxRetry = 3;
+    findtime = 600;
+    bantime = 3600;
    banaction = "iptables-multiport";
    
+    # Ban repeat offenders for 1 week
+    recidive = {
+      enabled = true;
+      filter = "recidive";
+      logpath = "/var/log/fail2ban.log";
+      bantime = 604800;
+      findtime = 86400;
+      maxretry = 3;
+    };
+    
    jails = {
-      # Ban repeat offenders for 1 week
-      recidive = {
-        enabled = true;
-        filter = "recidive";
-        settings = {
-          logpath = "/var/log/fail2ban.log";
-          bantime = "1w";
-          findtime = "1d";
-          maxretry = 3;
-        };
-      };
-      
      # SSH brute force protection
      sshd = {
        enabled = true;
-        settings = {
-          port = "2424";
-          maxretry = 3;
-          bantime = "1h";
-        };
+        filter = "sshd";
+        port = "2424";
+        logpath = "/var/log/auth.log";
+        maxretry = 3;
+        bantime = 3600;
      };
      
      # HTTP authentication failures
      http-auth = {
        enabled = true;
        filter = "apache-auth";
-        settings = {
-          port = "80,443";
-          logpath = "/var/log/traefik/access.log";
-          maxretry = 5;
-          bantime = "1h";
-        };
+        port = "80,443";
+        logpath = "/var/log/traefik/access.log";
+        maxretry = 5;
+        bantime = 3600;
      };
      
      # HTTP scanning/attacks
      http-botsearch = {
        enabled = true;
        filter = "apache-botsearch";
-        settings = {
-          port = "80,443";
-          logpath = "/var/log/traefik/access.log";
-          maxretry = 2;
-          bantime = "2h";
-        };
+        port = "80,443";
+        logpath = [ "/var/log/traefik/access.log" ];
+        maxretry = 2;
+        bantime = 7200;
      };
    };
  };
@@ -474,7 +470,7 @@
  };

  # Audit logging
-  security.audit.enable = true;
+  services.auditd.enable = true;
  
  # Fail2ban log directory
  systemd.tmpfiles.rules = [