Kabbone/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: Kabbone:1771fba57b5ced7e86070779fffd66aec08366b3
Branches Tags
Kabbone:main
Kabbone:dev
Kabbone:refactor
..
compare: Kabbone:c17489376e9940d80a6c62a4882687dcc813735a
Branches Tags
Kabbone:main
Kabbone:dev
Kabbone:refactor

2 Commits
1771fba57b ... c17489376e

Author SHA1 Message Date
Kabbone
c17489376e
server: nextcloud: enable fail2ban 2023-06-04 15:03:12 +02:00
Kabbone
6059c3c0ba
server: gitea: fail2ban fix 2023-06-04 14:22:57 +02:00
4 changed files with 24 additions and 3 deletions
Show Stats Expand all files Collapse all files

17
hosts/configuration_server.nix
View File

@ -80,6 +80,10 @@
source = ../modules/services/server/fail2ban/filter/gitea.conf; source = ../modules/services/server/fail2ban/filter/gitea.conf;
mode = "0444"; mode = "0444";
}; };
"fail2ban/filter.d/nextcloud.conf" = {
source = ../modules/services/server/fail2ban/filter/nextcloud.conf;
mode = "0444";
};
}; };
systemPackages = with pkgs; [ # Default packages install system-wide systemPackages = with pkgs; [ # Default packages install system-wide
vim vim
@ -116,16 +120,23 @@
fail2ban = { fail2ban = {
enable = true; enable = true;
maxretry = 5; maxretry = 5;
extraSettings = {
findtime = "15m";
bantime = "1h";
};
jails = { jails = {
gitea = '' gitea = ''
enabled = true enabled = true
filter = gitea filter = gitea
backend = systemd backend = systemd
maxretry = 10
findtime = 3600
bantime = 900
action = iptables-allports action = iptables-allports
''; '';
nextcloud = ''
backend = auto
enabled = true
filter = nextcloud
logpath = /var/lib/nextcloud/data/nextcloud.log
action = iptables-allports
}; };
}; };

2
modules/services/server/fail2ban/filter/gitea.conf
View File

@ -1,3 +1,5 @@
[Definition] [Definition]
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST> failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
ignoreregex = ignoreregex =
#journalmatch = _SYSTEMD_UNIT=gitea.servie
journalmatch =

6
modules/services/server/fail2ban/filter/nextcloud.conf Normal file
View File

@ -0,0 +1,6 @@
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
journalmatch =

2
modules/services/server/nextcloud.nix
View File

@ -8,11 +8,13 @@
package = pkgs.nextcloud26; package = pkgs.nextcloud26;
enableBrokenCiphersForSSE = false; enableBrokenCiphersForSSE = false;
database.createLocally = false; database.createLocally = false;
logType = "file";
caching = { caching = {
redis = true; redis = true;
apcu = false; apcu = false;
}; };
extraOptions = { extraOptions = {
logfile = "nextcloud.log";
redis = { redis = {
host = "/run/redis-nextcloud/redis.sock"; host = "/run/redis-nextcloud/redis.sock";
port = 0; port = 0;