fix(fail2ban): pin polling backend so jail actually reads Caddy access log

Closes #503. Debian's fail2ban package ships defaults-debian.conf with `[DEFAULT] backend = systemd`. Without an explicit override, our familienarchiv-auth jail inherits the systemd backend at runtime, reads from journald, and never inspects /var/log/caddy/access.log. A live login brute-force would not be banned. Add `backend = polling` to the jail and a CI step that links the jail into /etc/fail2ban/ and asserts `fail2ban-client -d` resolves it to the polling backend, not the inherited systemd backend. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-11 14:59:40 +02:00
parent 4d4d5793bb
commit e5363913ec
2 changed files with 21 additions and 0 deletions
--- a/infra/fail2ban/jail.d/familienarchiv.conf
+++ b/infra/fail2ban/jail.d/familienarchiv.conf
@@ -19,6 +19,12 @@

 [familienarchiv-auth]
 enabled  = true
+# Override Debian's `backend = systemd` default (set in
+# /etc/fail2ban/jail.d/defaults-debian.conf). Without this line our jail
+# inherits the systemd backend, reads from journald, and never inspects
+# Caddy's file-based JSON access log — i.e. brute-force protection is inert.
+# `polling` works without inotify and is fine for one rotated log file.
+backend  = polling
 filter   = familienarchiv-auth
 logpath  = /var/log/caddy/access.log
 maxretry = 10