cnst/cnix
1
0
Fork 0
Code Issues Pull Requests Activity

fix(fail2ban): some hacky fix

Browse Source
This commit is contained in:
cnst
2025-10-07 21:05:43 +02:00
parent 549037fe69
commit 46aa5a9deb
7 changed files with 50 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
modules/server/authentik/default.nix
View File

@@ -66,7 +66,7 @@ in {
jails = { jails = {
authentik = { authentik = {
serviceName = "authentik"; serviceName = "authentik";
failRegex = "^.*Username or password is incorrect.*IP:\s*<HOST>"; failRegex = ''^.*Username or password is incorrect.*IP:\s*<HOST>'';
}; };
}; };
}; };

27
modules/server/fail2ban/default.nix
View File

@@ -30,14 +30,28 @@ in {
example = "vaultwarden"; example = "vaultwarden";
type = lib.types.str; type = lib.types.str;
}; };
_groupsre = lib.mkOption {
type = lib.types.lines;
example = ''(?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)'';
default = "";
};
failRegex = lib.mkOption { failRegex = lib.mkOption {
type = lib.types.str; type = lib.types.lines;
example = "Login failed from IP: <HOST>"; example = ''
^Login failed from IP: <HOST>$
^Two-factor challenge failed from <HOST>$
'';
}; };
ignoreRegex = lib.mkOption { ignoreRegex = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = ""; default = "";
}; };
datePattern = lib.mkOption {
type = lib.types.str;
default = "";
example = '',?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"'';
description = "Optional datepattern line for the fail2ban filter.";
};
maxRetry = lib.mkOption { maxRetry = lib.mkOption {
type = lib.types.int; type = lib.types.int;
default = 3; default = 3;
@@ -75,10 +89,17 @@ in {
environment.etc = lib.attrsets.mergeAttrsList [ environment.etc = lib.attrsets.mergeAttrsList [
(lib.attrsets.mapAttrs' ( (lib.attrsets.mapAttrs' (
name: value: (lib.nameValuePair "fail2ban/filter.d/${name}.conf" { name: value: (lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
text = '' text =
''
[Definition] [Definition]
failregex = ${value.failRegex} failregex = ${value.failRegex}
ignoreregex = ${value.ignoreRegex} ignoreregex = ${value.ignoreRegex}
''
+ lib.optionalString (value.datePattern != "") ''
datepattern = ${value.datePattern}
''
+ lib.optionalString (value._groupsre != "") ''
_groupsre = ${value._groupsre}
''; '';
}) })
) )

2
modules/server/gitea/default.nix
View File

@@ -63,7 +63,7 @@ in {
jails = { jails = {
gitea = { gitea = {
serviceName = "gitea"; serviceName = "gitea";
failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$"; failRegex = ''.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>'';
}; };
}; };
}; };

18
modules/server/jellyseerr/default.nix
View File

@@ -3,17 +3,18 @@
lib, lib,
... ...
}: let }: let
service = "jellyseerr"; unit = "jellyseerr";
srv = config.server; srv = config.server;
cfg = config.server.${service}; cfg = config.server.${unit};
in { in {
options.server.${service} = { options.server.${unit} = {
enable = lib.mkEnableOption { enable = lib.mkEnableOption {
description = "Enable ${service}"; description = "Enable ${unit}";
}; };
url = lib.mkOption { url = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "${service}.${srv.domain}"; # default = "seer.${srv.tailscale.url}";
default = "jellyseerr.${srv.domain}";
}; };
port = lib.mkOption { port = lib.mkOption {
type = lib.types.port; type = lib.types.port;
@@ -37,21 +38,20 @@ in {
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.${service} = { services.${unit} = {
enable = true; enable = true;
port = cfg.port; port = cfg.port;
}; };
services.traefik = { services.traefik = {
dynamicConfigOptions = { dynamicConfigOptions = {
http = { http = {
services.jellyseerr.loadBalancer.servers = [{url = "http://127.0.0.1:${toString cfg.port}";}]; services.jellyseerr.loadBalancer.servers = [{url = "http://localhost:${toString cfg.port}";}];
routers = { routers = {
jellyseerr = { jellyseerr = {
entryPoints = ["websecure"]; entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)"; rule = "Host(`${cfg.url}`)";
service = "jellyseerr"; service = "${unit}";
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
}; };
}; };
}; };

10
modules/server/nextcloud/default.nix
View File

@@ -54,8 +54,14 @@ in {
server.fail2ban = lib.mkIf config.server.fail2ban.enable { server.fail2ban = lib.mkIf config.server.fail2ban.enable {
jails = { jails = {
nextcloud = { nextcloud = {
serviceName = "phpfpm-nextcloud"; serviceName = "${unit}";
failRegex = "^.*Login failed:.*(Remote IP: <HOST>).*$"; _groupsre = ''(?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)'';
failRegex = ''
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Two-factor challenge failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
'';
datePattern = '',?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"'';
}; };
}; };
}; };

4
modules/server/vaultwarden/default.nix
View File

@@ -44,7 +44,7 @@ in {
jails = { jails = {
vaultwarden = { vaultwarden = {
serviceName = "vaultwarden"; serviceName = "vaultwarden";
failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$"; failRegex = ''^.*?Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$'';
}; };
}; };
}; };
@@ -72,7 +72,7 @@ in {
logLevel = "warn"; logLevel = "warn";
extendedLogging = true; extendedLogging = true;
useSyslog = true; useSyslog = true;
invitationsAllowed = false; invitationsAllowed = true;
showPasswordHint = false; showPasswordHint = false;
}; };
}; };

2
modules/server/www/default.nix
View File

@@ -47,7 +47,7 @@ in {
nginx-404 = { nginx-404 = {
serviceName = "nginx"; serviceName = "nginx";
failRegex = ''^.*\[error\].*directory index of.* is forbidden.*client: <HOST>.*$''; failRegex = ''^.*\[error\].*directory index of.* is forbidden.*client: <HOST>.*$'';
ignoreRegex = ""; ignoreRegex = '''';
maxRetry = 5; maxRetry = 5;
}; };
}; };