marcel/familienarchiv
1
0
Fork 0
Code Issues 118 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Merge pull request 'fix(fail2ban): pin polling backend so jail actually reads Caddy access log (#503)' (#504) from fix/issue-503-fail2ban-polling-backend into main
Some checks failed
CI / Unit & Component Tests (push) Failing after 2m47s
Details
CI / OCR Service Tests (push) Successful in 16s
Details
CI / Backend Unit Tests (push) Successful in 4m12s
Details
CI / fail2ban Regex (push) Successful in 39s
Details
CI / Compose Bucket Idempotency (push) Failing after 50s
Details

Browse Source
This commit was merged in pull request #504.
This commit is contained in:
marcel
2026-05-11 15:08:58 +02:00
parent 4d4d5793bb e5363913ec
commit c3c1efe5f1
2 changed files with 21 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.gitea/workflows/ci.yml
View File

@@ -172,6 +172,21 @@ jobs:
echo "$out" | grep -qE '0 matched' \ echo "$out" | grep -qE '0 matched' \
|| { echo "expected 0 matches for /api/documents 401"; exit 1; } || { echo "expected 0 matches for /api/documents 401"; exit 1; }
# ── Backend resolves to file-polling, not systemd ─────────────────────
# The Debian/Ubuntu fail2ban package ships defaults-debian.conf with
# `[DEFAULT] backend = systemd`. Without `backend = polling` in our
# jail, the daemon loads the jail but reads from journald and never
# touches /var/log/caddy/access.log — i.e. the regex above passes in
# isolation while the live jail is inert. See issue #503.
- name: Jail resolves with polling backend (not inherited systemd)
run: |
sudo ln -sfn "$PWD/infra/fail2ban/jail.d/familienarchiv.conf" /etc/fail2ban/jail.d/familienarchiv.conf
sudo ln -sfn "$PWD/infra/fail2ban/filter.d/familienarchiv-auth.conf" /etc/fail2ban/filter.d/familienarchiv-auth.conf
dump=$(sudo fail2ban-client -d 2>&1)
echo "$dump" | grep -E "add.*familienarchiv-auth" || true
echo "$dump" | grep -qE "\['add', 'familienarchiv-auth', 'polling'\]" \
|| { echo "FAIL: familienarchiv-auth jail did not resolve to 'polling' backend"; exit 1; }
# ─── Compose Bucket-Bootstrap Idempotency ───────────────────────────────────── # ─── Compose Bucket-Bootstrap Idempotency ─────────────────────────────────────
# docker-compose.prod.yml's create-buckets service runs on every # docker-compose.prod.yml's create-buckets service runs on every
# `docker compose up` (one-shot, no restart). Must be idempotent — a # `docker compose up` (one-shot, no restart). Must be idempotent — a

6
infra/fail2ban/jail.d/familienarchiv.conf
View File

@@ -19,6 +19,12 @@
[familienarchiv-auth] [familienarchiv-auth]
enabled = true enabled = true
# Override Debian's `backend = systemd` default (set in
# /etc/fail2ban/jail.d/defaults-debian.conf). Without this line our jail
# inherits the systemd backend, reads from journald, and never inspects
# Caddy's file-based JSON access log — i.e. brute-force protection is inert.
# `polling` works without inotify and is fine for one rotated log file.
backend = polling
filter = familienarchiv-auth filter = familienarchiv-auth
logpath = /var/log/caddy/access.log logpath = /var/log/caddy/access.log
maxretry = 10 maxretry = 10