From 25a5af1d24b16b9b8577a48904d6e9aebed4f856 Mon Sep 17 00:00:00 2001
From: Felix Buehler <account@buehler.rocks>
Date: Sun, 21 May 2023 20:23:20 +0200
Subject: [PATCH] service/sshd: add loki alert rule

---
 modules/services/loki/default.nix       | 2 +-
 modules/services/ssh-server/default.nix | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/services/loki/default.nix b/modules/services/loki/default.nix
index fa28897..c85be4c 100644
--- a/modules/services/loki/default.nix
+++ b/modules/services/loki/default.nix
@@ -141,7 +141,7 @@ in
     };
 
     my.services.loki.rules = {
-      HighLogRate = {
+      loki_highLogRate = {
         condition = ''sum by (host) (rate({unit="loki.service"}[1m])) > 60'';
         description = "Loki has a high logging rate";
       };
diff --git a/modules/services/ssh-server/default.nix b/modules/services/ssh-server/default.nix
index 3aa1827..212c62e 100644
--- a/modules/services/ssh-server/default.nix
+++ b/modules/services/ssh-server/default.nix
@@ -25,5 +25,12 @@ in
     # by setting an hashed password in the `users.users.felix` block as `initialHashedPassword`.
     # additionally needed by deploy-rs
     security.sudo.wheelNeedsPassword = false;
+
+    my.services.loki.rules = {
+      sshd_closed = {
+        condition = ''count_over_time({unit="sshd.service"} |~ "Connection closed by authenticating user" [15m]) > 15'';
+        description = "More then 15 users have tried loggin in without success";
+      };
+    };
   };
 }