From c17489376e9940d80a6c62a4882687dcc813735a Mon Sep 17 00:00:00 2001
From: Kabbone <tobias@opel-online.de>
Date: Sun, 4 Jun 2023 15:03:12 +0200
Subject: [PATCH] server: nextcloud: enable fail2ban

---
 hosts/configuration_server.nix                         | 10 ++++++++++
 modules/services/server/fail2ban/filter/nextcloud.conf |  6 ++++++
 modules/services/server/nextcloud.nix                  |  2 ++
 3 files changed, 18 insertions(+)
 create mode 100644 modules/services/server/fail2ban/filter/nextcloud.conf

diff --git a/hosts/configuration_server.nix b/hosts/configuration_server.nix
index e02f79c..4b84f0c 100644
--- a/hosts/configuration_server.nix
+++ b/hosts/configuration_server.nix
@@ -80,6 +80,10 @@
         source = ../modules/services/server/fail2ban/filter/gitea.conf;
         mode = "0444";
       };
+      "fail2ban/filter.d/nextcloud.conf" = {
+        source = ../modules/services/server/fail2ban/filter/nextcloud.conf;
+        mode = "0444";
+      };
     };
     systemPackages = with pkgs; [           # Default packages install system-wide
       vim
@@ -127,6 +131,12 @@
               backend = systemd
               action = iptables-allports
             '';
+            nextcloud = ''
+              backend = auto
+              enabled = true
+              filter = nextcloud
+              logpath = /var/lib/nextcloud/data/nextcloud.log
+              action = iptables-allports
           };
     };
 
diff --git a/modules/services/server/fail2ban/filter/nextcloud.conf b/modules/services/server/fail2ban/filter/nextcloud.conf
new file mode 100644
index 0000000..5c655ee
--- /dev/null
+++ b/modules/services/server/fail2ban/filter/nextcloud.conf
@@ -0,0 +1,6 @@
+[Definition]
+_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
+datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
+journalmatch = 
diff --git a/modules/services/server/nextcloud.nix b/modules/services/server/nextcloud.nix
index f7216a4..bab3495 100644
--- a/modules/services/server/nextcloud.nix
+++ b/modules/services/server/nextcloud.nix
@@ -8,11 +8,13 @@
         package = pkgs.nextcloud26;
         enableBrokenCiphersForSSE = false;
         database.createLocally = false;
+        logType = "file";
         caching = {
             redis = true;
             apcu = false;
         };
         extraOptions = {
+            logfile = "nextcloud.log";
             redis = {
                 host = "/run/redis-nextcloud/redis.sock";
                 port = 0;