cnst/cnix
1
0
Fork 0
Code Issues Pull Requests Activity

fix(fail2ban): some hacky fix

Browse Source
This commit is contained in:
cnst
2025-10-07 21:05:43 +02:00
parent 549037fe69
commit 46aa5a9deb
7 changed files with 50 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
modules/server/authentik/default.nix
View File

@@ -66,7 +66,7 @@ in {
jails = {
authentik = {
serviceName = "authentik";
failRegex = "^.*Username or password is incorrect.*IP:\s*<HOST>";
failRegex = ''^.*Username or password is incorrect.*IP:\s*<HOST>'';
};
};
};

35
modules/server/fail2ban/default.nix
View File

@@ -30,14 +30,28 @@ in {
example = "vaultwarden";
type = lib.types.str;
};
_groupsre = lib.mkOption {
type = lib.types.lines;
example = ''(?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)'';
default = "";
};
failRegex = lib.mkOption {
type = lib.types.str;
example = "Login failed from IP: <HOST>";
type = lib.types.lines;
example = ''
^Login failed from IP: <HOST>$
^Two-factor challenge failed from <HOST>$
'';
};
ignoreRegex = lib.mkOption {
type = lib.types.str;
default = "";
};
datePattern = lib.mkOption {
type = lib.types.str;
default = "";
example = '',?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"'';
description = "Optional datepattern line for the fail2ban filter.";
};
maxRetry = lib.mkOption {
type = lib.types.int;
default = 3;
@@ -75,11 +89,18 @@ in {
environment.etc = lib.attrsets.mergeAttrsList [
(lib.attrsets.mapAttrs' (
name: value: (lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
text = ''
[Definition]
failregex = ${value.failRegex}
ignoreregex = ${value.ignoreRegex}
'';
text =
''
[Definition]
failregex = ${value.failRegex}
ignoreregex = ${value.ignoreRegex}
''
+ lib.optionalString (value.datePattern != "") ''
datepattern = ${value.datePattern}
''
+ lib.optionalString (value._groupsre != "") ''
_groupsre = ${value._groupsre}
'';
})
)
cfg.jails)

2
modules/server/gitea/default.nix
View File

@@ -63,7 +63,7 @@ in {
jails = {
gitea = {
serviceName = "gitea";
failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
failRegex = ''.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>'';
};
};
};

18
modules/server/jellyseerr/default.nix
View File

@@ -3,17 +3,18 @@
lib,
...
}: let
service = "jellyseerr";
unit = "jellyseerr";
srv = config.server;
cfg = config.server.${service};
cfg = config.server.${unit};
in {
options.server.${service} = {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${service}";
description = "Enable ${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${service}.${srv.domain}";
# default = "seer.${srv.tailscale.url}";
default = "jellyseerr.${srv.domain}";
};
port = lib.mkOption {
type = lib.types.port;
@@ -37,21 +38,20 @@ in {
};
};
config = lib.mkIf cfg.enable {
services.${service} = {
services.${unit} = {
enable = true;
port = cfg.port;
};
services.traefik = {
dynamicConfigOptions = {
http = {
services.jellyseerr.loadBalancer.servers = [{url = "http://127.0.0.1:${toString cfg.port}";}];
services.jellyseerr.loadBalancer.servers = [{url = "http://localhost:${toString cfg.port}";}];
routers = {
jellyseerr = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "jellyseerr";
service = "${unit}";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};

10
modules/server/nextcloud/default.nix
View File

@@ -54,8 +54,14 @@ in {
server.fail2ban = lib.mkIf config.server.fail2ban.enable {
jails = {
nextcloud = {
serviceName = "phpfpm-nextcloud";
failRegex = "^.*Login failed:.*(Remote IP: <HOST>).*$";
serviceName = "${unit}";
_groupsre = ''(?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)'';
failRegex = ''
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Two-factor challenge failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
'';
datePattern = '',?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"'';
};
};
};

4
modules/server/vaultwarden/default.nix
View File

@@ -44,7 +44,7 @@ in {
jails = {
vaultwarden = {
serviceName = "vaultwarden";
failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
failRegex = ''^.*?Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$'';
};
};
};
@@ -72,7 +72,7 @@ in {
logLevel = "warn";
extendedLogging = true;
useSyslog = true;
invitationsAllowed = false;
invitationsAllowed = true;
showPasswordHint = false;
};
};

2
modules/server/www/default.nix
View File

@@ -47,7 +47,7 @@ in {
nginx-404 = {
serviceName = "nginx";
failRegex = ''^.*\[error\].*directory index of.* is forbidden.*client: <HOST>.*$'';
ignoreRegex = "";
ignoreRegex = '''';
maxRetry = 5;
};
};