server: nextcloud: enable fail2ban

hosts/configuration_server.nix

@@ -80,6 +80,10 @@
         source = ../modules/services/server/fail2ban/filter/gitea.conf;
         mode = "0444";
       };
+      "fail2ban/filter.d/nextcloud.conf" = {
+        source = ../modules/services/server/fail2ban/filter/nextcloud.conf;
+        mode = "0444";
+      };
     };
     systemPackages = with pkgs; [           # Default packages install system-wide
       vim
@@ -127,6 +131,12 @@
               backend = systemd
               action = iptables-allports
             '';
+            nextcloud = ''
+              backend = auto
+              enabled = true
+              filter = nextcloud
+              logpath = /var/lib/nextcloud/data/nextcloud.log
+              action = iptables-allports
           };
     };
 

modules/services/server/fail2ban/filter/nextcloud.conf

@@ -0,0 +1,6 @@
+[Definition]
+_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
+datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
+journalmatch = 

modules/services/server/nextcloud.nix

@@ -8,11 +8,13 @@
         package = pkgs.nextcloud26;
         enableBrokenCiphersForSSE = false;
         database.createLocally = false;
+        logType = "file";
         caching = {
             redis = true;
             apcu = false;
         };
         extraOptions = {
+            logfile = "nextcloud.log";
             redis = {
                 host = "/run/redis-nextcloud/redis.sock";
                 port = 0;