From 5341024d966192a9b080b861f8996a42afd850e2 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Sat, 14 Jan 2023 12:23:35 +0800
Subject: [PATCH] hosts/plover: update comments and systemd journal matches for
 fail2ban

---
 hosts/plover/modules/services/gitea.nix       | 9 +++++++--
 hosts/plover/modules/services/vaultwarden.nix | 4 ++--
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/hosts/plover/modules/services/gitea.nix b/hosts/plover/modules/services/gitea.nix
index 2ff70711..562aff95 100644
--- a/hosts/plover/modules/services/gitea.nix
+++ b/hosts/plover/modules/services/gitea.nix
@@ -29,6 +29,8 @@ in {
 
     mailerPasswordFile = config.sops.secrets."plover/gitea/smtp/password".path;
 
+    # You can see the available configuration options at
+    # https://docs.gitea.io/en-us/config-cheat-sheet/.
     settings = {
       "repository.pull_request" = {
         WORK_IN_PROGRESS_PREFIXES = "WIP:,[WIP],DRAFT,[DRAFT]";
@@ -107,7 +109,10 @@ in {
     '';
   };
 
-  # Making sure this plays nicely with the database service of choice.
+  # Making sure this plays nicely with the database service of choice. Take
+  # note, we're mainly using secure schema usage pattern here as described from
+  # the PostgreSQL documentation at
+  # https://www.postgresql.org/docs/15/ddl-schemas.html#DDL-SCHEMAS-PATTERNS.
   services.postgresql = {
     ensureUsers = [{
       name = config.services.gitea.user;
@@ -132,7 +137,7 @@ in {
     gitea = ''
       enabled = true
       backend = systemd
-      filter = gitea[journalmatch='_SYSTEMD_UNIT=gitea.service']
+      filter = gitea[journalmatch='_SYSTEMD_UNIT=gitea.service + _COMM=gitea']
       maxretry = 8
     '';
   };
diff --git a/hosts/plover/modules/services/vaultwarden.nix b/hosts/plover/modules/services/vaultwarden.nix
index 1d9a5ef0..36f58714 100644
--- a/hosts/plover/modules/services/vaultwarden.nix
+++ b/hosts/plover/modules/services/vaultwarden.nix
@@ -101,14 +101,14 @@ in {
     vaultwarden-user = ''
       enabled = true
       backend = systemd
-      filter = vaultwarden-user[journalmatch='_SYSTEMD_UNIT=vaultwarden.service']
+      filter = vaultwarden-user[journalmatch='_SYSTEMD_UNIT=vaultwarden.service + _COMM=vaultwarden']
       maxretry = 5
     '';
 
     vaultwarden-admin = ''
       enabled = true
       backend = systemd
-      filter = vaultwarden-admin[journalmatch='_SYSTEMD_UNIT=vaultwarden.service']
+      filter = vaultwarden-admin[journalmatch='_SYSTEMD_UNIT=vaultwarden.service + _COMM=vaultwarden']
       maxretry = 3
     '';
   };