eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Expose Forgejo publicly at forge.eblu.me #278

Merged
eblume merged 14 commits from feature/forge-public into main 2026-03-03 08:40:42 -08:00
Conversation 0 Commits 14 Files changed 49 +11 -3
2 changed files with 11 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 52f0308f1a - Show all commits

Fix fail2ban crash: disable default sshd jail, make non-fatal

Prev Next 
Alpine's fail2ban ships with sshd jail enabled by default. Since there's
no SSH server in the Fly.io container, fail2ban exits with an error
looking for sshd logs — crashing the container via set -e.

Disable the sshd jail explicitly and make fail2ban startup non-fatal
since nginx rate limiting is the primary defense.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Erich Blume 2026-03-03 08:29:33 -08:00
commit 52f0308f1a

4
fly/fail2ban/jail.d/forge.conf
View file

@ -1,3 +1,7 @@
# Disable the default sshd jail — no SSH server in this container
[sshd]
enabled = false
[forge-login] [forge-login]
enabled = true enabled = true
filter = forge-login filter = forge-login

10
fly/start.sh
View file

@ -20,9 +20,13 @@ nginx -g "daemon off;" &
NGINX_PID=$! NGINX_PID=$!
echo "Nginx started" echo "Nginx started"
# Start fail2ban for login brute-force protection # Start fail2ban for login brute-force protection.
fail2ban-server -b # Non-fatal — nginx rate limiting is the primary defense; fail2ban is additive.
echo "fail2ban started" if fail2ban-server -b; then
echo "fail2ban started"
else
echo "WARNING: fail2ban failed to start (nginx rate limiting still active)"
fi
# Start Alloy for observability (logs → Loki, metrics → Prometheus) # Start Alloy for observability (logs → Loki, metrics → Prometheus)
alloy run /etc/alloy/config.alloy \ alloy run /etc/alloy/config.alloy \