fix(fail2ban): some hacky fix

2025-10-07 21:05:43 +02:00
parent 549037fe69
commit 46aa5a9deb
7 changed files with 50 additions and 23 deletions
--- a/modules/server/authentik/default.nix
+++ b/modules/server/authentik/default.nix
@@ -66,7 +66,7 @@ in {
        jails = {
          authentik = {
            serviceName = "authentik";
-            failRegex = "^.*Username or password is incorrect.*IP:\s*<HOST>";
+            failRegex = ''^.*Username or password is incorrect.*IP:\s*<HOST>'';
          };
        };
      };
--- a/modules/server/fail2ban/default.nix
+++ b/modules/server/fail2ban/default.nix
@@ -30,14 +30,28 @@ in {
              example = "vaultwarden";
              type = lib.types.str;
            };
            _groupsre = lib.mkOption {
              type = lib.types.lines;
              example = ''(?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)'';
              default = "";
            };
            failRegex = lib.mkOption {
-              type = lib.types.str;
+              type = lib.types.lines;
-              example = "Login failed from IP: <HOST>";
+              example = ''
                ^Login failed from IP: <HOST>$
                ^Two-factor challenge failed from <HOST>$
              '';
            };
            ignoreRegex = lib.mkOption {
              type = lib.types.str;
              default = "";
            };
            datePattern = lib.mkOption {
              type = lib.types.str;
              default = "";
              example = '',?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"'';
              description = "Optional datepattern line for the fail2ban filter.";
            };
            maxRetry = lib.mkOption {
              type = lib.types.int;
              default = 3;
@@ -75,11 +89,18 @@ in {
    environment.etc = lib.attrsets.mergeAttrsList [
      (lib.attrsets.mapAttrs' (
          name: value: (lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
-            text = ''
+            text =
-              [Definition]
+              ''
-              failregex = ${value.failRegex}
+                [Definition]
-              ignoreregex = ${value.ignoreRegex}
+                failregex = ${value.failRegex}
-            '';
+                ignoreregex = ${value.ignoreRegex}
              ''
              + lib.optionalString (value.datePattern != "") ''
                datepattern = ${value.datePattern}
              ''
              + lib.optionalString (value._groupsre != "") ''
                _groupsre = ${value._groupsre}
              '';
          })
        )
        cfg.jails)
--- a/modules/server/gitea/default.nix
+++ b/modules/server/gitea/default.nix
@@ -63,7 +63,7 @@ in {
        jails = {
          gitea = {
            serviceName = "gitea";
-            failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
+            failRegex = ''.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>'';
          };
        };
      };
--- a/modules/server/jellyseerr/default.nix
+++ b/modules/server/jellyseerr/default.nix
@@ -3,17 +3,18 @@
  lib,
  ...
 }: let
-  service = "jellyseerr";
+  unit = "jellyseerr";
  srv = config.server;
-  cfg = config.server.${service};
+  cfg = config.server.${unit};
 in {
-  options.server.${service} = {
+  options.server.${unit} = {
    enable = lib.mkEnableOption {
-      description = "Enable ${service}";
+      description = "Enable ${unit}";
    };
    url = lib.mkOption {
      type = lib.types.str;
-      default = "${service}.${srv.domain}";
+      # default = "seer.${srv.tailscale.url}";
      default = "jellyseerr.${srv.domain}";
    };
    port = lib.mkOption {
      type = lib.types.port;
@@ -37,21 +38,20 @@ in {
    };
  };
  config = lib.mkIf cfg.enable {
-    services.${service} = {
+    services.${unit} = {
      enable = true;
      port = cfg.port;
    };
    services.traefik = {
      dynamicConfigOptions = {
        http = {
-          services.jellyseerr.loadBalancer.servers = [{url = "http://127.0.0.1:${toString cfg.port}";}];
+          services.jellyseerr.loadBalancer.servers = [{url = "http://localhost:${toString cfg.port}";}];
          routers = {
            jellyseerr = {
              entryPoints = ["websecure"];
              rule = "Host(`${cfg.url}`)";
-              service = "jellyseerr";
+              service = "${unit}";
              tls.certResolver = "letsencrypt";
              # middlewares = ["authentik"];
            };
          };
        };
--- a/modules/server/nextcloud/default.nix
+++ b/modules/server/nextcloud/default.nix
@@ -54,8 +54,14 @@ in {
    server.fail2ban = lib.mkIf config.server.fail2ban.enable {
      jails = {
        nextcloud = {
-          serviceName = "phpfpm-nextcloud";
+          serviceName = "${unit}";
-          failRegex = "^.*Login failed:.*(Remote IP: <HOST>).*$";
+          _groupsre = ''(?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)'';
          failRegex = ''
            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
                        ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Two-factor challenge failed:
                        ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
          '';
          datePattern = '',?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"'';
        };
      };
    };
--- a/modules/server/vaultwarden/default.nix
+++ b/modules/server/vaultwarden/default.nix
@@ -44,7 +44,7 @@ in {
        jails = {
          vaultwarden = {
            serviceName = "vaultwarden";
-            failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
+            failRegex = ''^.*?Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$'';
          };
        };
      };
@@ -72,7 +72,7 @@ in {
          logLevel = "warn";
          extendedLogging = true;
          useSyslog = true;
-          invitationsAllowed = false;
+          invitationsAllowed = true;
          showPasswordHint = false;
        };
      };
--- a/modules/server/www/default.nix
+++ b/modules/server/www/default.nix
@@ -47,7 +47,7 @@ in {
          nginx-404 = {
            serviceName = "nginx";
            failRegex = ''^.*\[error\].*directory index of.* is forbidden.*client: <HOST>.*$'';
-            ignoreRegex = "";
+            ignoreRegex = '''';
            maxRetry = 5;
          };
        };