From fedfdb1228a8224fe97fb5bd55e6893246818a34 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Tue, 3 Mar 2026 08:34:21 -0800
Subject: [PATCH] Remove Alpine's default SSH jails for fail2ban

Alpine ships alpine-ssh.conf with sshd and sshd-ddos jails enabled.
These fail on startup because there's no SSH server or /var/log/messages
in the container. Remove the file after install instead of trying to
override via [DEFAULT] (per-jail enabled=true beats DEFAULT).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 fly/Dockerfile                 | 3 ++-
 fly/fail2ban/jail.d/forge.conf | 4 ----
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/fly/Dockerfile b/fly/Dockerfile
index 09099c4..65135c1 100644
--- a/fly/Dockerfile
+++ b/fly/Dockerfile
@@ -9,7 +9,8 @@ COPY --from=docker.io/tailscale/tailscale:stable \
 RUN mkdir -p /var/run/tailscale /var/lib/tailscale \
     && apk add --no-cache iptables ip6tables \
     && apk add --no-cache libc6-compat \
-    && apk add --no-cache fail2ban
+    && apk add --no-cache fail2ban \
+    && rm -f /etc/fail2ban/jail.d/alpine-ssh.conf
 
 # Copy Alloy binary from official image (Ubuntu-based, needs libc6-compat)
 COPY --from=docker.io/grafana/alloy:v1.13.1 \
diff --git a/fly/fail2ban/jail.d/forge.conf b/fly/fail2ban/jail.d/forge.conf
index 50be379..7b0843f 100644
--- a/fly/fail2ban/jail.d/forge.conf
+++ b/fly/fail2ban/jail.d/forge.conf
@@ -1,7 +1,3 @@
-# Disable all default jails — this container has no SSH, mail, etc.
-[DEFAULT]
-enabled = false
-
 [forge-login]
 enabled  = true
 filter   = forge-login