server: nextcloud: enable fail2ban

2023-06-04 15:03:12 +02:00 · 2023-06-04 15:03:12 +02:00 · c17489376e
commit c17489376e
parent 6059c3c0ba
3 changed files with 18 additions and 0 deletions
--- a/hosts/configuration_server.nix
+++ b/hosts/configuration_server.nix
@ -80,6 +80,10 @@
        source = ../modules/services/server/fail2ban/filter/gitea.conf;
        mode = "0444";
      };
+      "fail2ban/filter.d/nextcloud.conf" = {
+        source = ../modules/services/server/fail2ban/filter/nextcloud.conf;
+        mode = "0444";
+      };
    };
    systemPackages = with pkgs; [           # Default packages install system-wide
      vim
@ -127,6 +131,12 @@
              backend = systemd
              action = iptables-allports
            '';
+            nextcloud = ''
+              backend = auto
+              enabled = true
+              filter = nextcloud
+              logpath = /var/lib/nextcloud/data/nextcloud.log
+              action = iptables-allports
          };
    };

--- a/modules/services/server/fail2ban/filter/nextcloud.conf
+++ b/modules/services/server/fail2ban/filter/nextcloud.conf
@ -0,0 +1,6 @@
+[Definition]
+_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
+datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
+journalmatch = 
--- a/modules/services/server/nextcloud.nix
+++ b/modules/services/server/nextcloud.nix
@ -8,11 +8,13 @@
        package = pkgs.nextcloud26;
        enableBrokenCiphersForSSE = false;
        database.createLocally = false;
+        logType = "file";
        caching = {
            redis = true;
            apcu = false;
        };
        extraOptions = {
+            logfile = "nextcloud.log";
            redis = {
                host = "/run/redis-nextcloud/redis.sock";
                port = 0;