added fail2ban

2025-01-06 14:06:26 -06:00 · 2025-01-06 14:06:26 -06:00 · 46fd27f768
commit 46fd27f768
parent 84698ba68b
4 changed files with 102 additions and 0 deletions
--- a/modules/nixos-modules/server/default.nix
+++ b/modules/nixos-modules/server/default.nix
@ -1,5 +1,6 @@
 {...}: {
  imports = [
+    ./fail2ban.nix
    ./network_storage
    ./reverse_proxy.nix
    ./postgres.nix
--- a/modules/nixos-modules/server/fail2ban.nix
+++ b/modules/nixos-modules/server/fail2ban.nix
@ -0,0 +1,90 @@
+{
+  lib,
+  config,
+  ...
+}: {
+  options.host.fail2ban = {
+    enable = lib.mkEnableOption "should fail 2 ban be enabled on this server";
+  };
+
+  config = lib.mkIf config.host.fail2ban.enable (lib.mkMerge [
+    {
+      services.fail2ban = {
+        enable = true;
+        maxretry = 5;
+        ignoreIP = [
+          # Whitelist local networks
+          "10.0.0.0/8"
+          "172.16.0.0/12"
+          "192.168.0.0/16"
+        ];
+        bantime = "24h"; # Ban IPs for one day on the first ban
+        bantime-increment = {
+          enable = true; # Enable increment of bantime after each violation
+          formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+          maxtime = "168h"; # Do not ban for more than 1 week
+          overalljails = true; # Calculate the ban time based on all the violations
+        };
+        jails = {
+          nginx-iptables.settings = lib.mkIf config.services.nginx.enable {
+            filter = "nginx";
+            action = ''iptables-multiport[name=HTTP, port="http,https"]'';
+            backend = "auto";
+            failregex = "limiting requests, excess:.* by zone.*client: <HOST>";
+            findtime = 600;
+            bantime = 600;
+            maxretry = 5;
+          };
+          jellyfin-iptables.settings = lib.mkIf config.services.jellyfin.enable {
+            filter = "jellyfin";
+            action = ''iptables-multiport[name=HTTP, port="http,https"]'';
+            logpath = "${config.services.jellyfin.dataDir}/log/*.log";
+            backend = "auto";
+            failregex = "^.*Authentication request for .* has been denied \\\(IP: \"<ADDR>\"\\\)\\\.";
+            findtime = 600;
+            bantime = 600;
+            maxretry = 5;
+          };
+          nextcloud-iptables.settings = lib.mkIf config.services.nextcloud.enable {
+            filter = "nextcloud";
+            action = ''iptables-multiport[name=HTTP, port="http,https"]'';
+            logpath = "${config.services.nextcloud.datadir}/*.log";
+            backend = "auto";
+            failregex = ''
+              ^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$
+                          ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user,:".*","app":"no app in context".*","method":".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$
+                          ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user":".*","app":".*","method":".*","url":".*","message":"Login failed: .* \(Remote IP: <HOST>\).*}$
+            '';
+            findtime = 600;
+            bantime = 600;
+            maxretry = 5;
+          };
+          forgejo-iptables.settings = lib.mkIf config.services.forgejo.enable {
+            filter = "forgejo";
+            action = ''iptables-multiport[name=HTTP, port="http,https"]'';
+            logpath = "${config.services.forgejo.stateDir}/log/*.log";
+            backend = "auto";
+            failregex = ".*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>";
+            findtime = 600;
+            bantime = 600;
+            maxretry = 5;
+          };
+          home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable {
+            filter = "home-assistant";
+            action = ''iptables-multiport[name=HTTP, port="http,https"]'';
+            logpath = "${config.services.home-assistant.configDir}/*.log";
+            backend = "auto";
+            failregex = "^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$";
+            findtime = 600;
+            bantime = 600;
+            maxretry = 5;
+          };
+          # TODO; figure out if there is any fail2ban things we can do on searx
+          # searx-iptables.settings = lib.mkIf config.services.searx.enable {};
+        };
+      };
+    }
+    (lib.mkIf config.host.impermanence.enable {
+      })
+  ]);
+}
--- a/modules/nixos-modules/server/nextcloud.nix
+++ b/modules/nixos-modules/server/nextcloud.nix
@ -32,6 +32,7 @@ in {
          enable = true;
          package = pkgs.nextcloud30;
          hostName = "${config.host.nextcloud.subdomain}.${config.host.reverse_proxy.hostname}";
+          settings.log_type = "file";
          config = {
            adminpassFile = config.sops.secrets."services/nextcloud_adminpass".path;
          };
@ -39,6 +40,13 @@ in {
      };
    }
    (lib.mkIf config.host.impermanence.enable {
+      assertions = [
+        {
+          assertion = config.services.nextcloud.datadir == dataDir;
+          message = "nextcloud data directory does not match persistence";
+        }
+      ];
+
      environment.persistence."/persist/system/root" = {
        enable = true;
        hideMounts = true;