moved fail2ban to service file added webhost profile

2023-12-10 21:14:55 +01:00 · 2023-12-10 21:14:55 +01:00 · eee0766421
parent 5910379de9
commit eee0766421
5 changed files with 110 additions and 22 deletions
--- a/machines/elrond/configuration.nix
+++ b/machines/elrond/configuration.nix
@ -6,9 +6,9 @@
 {
  imports =
    [ # Include the results of the hardware scan.
-      ../../profiles/base.nix
-      ../../services/ssh.nix
-      ../../services/nginx.nix
+      ../../profiles/webhost.nix
+      #../../services/ssh.nix
+      #../../services/nginx.nix
    ];


@ -138,19 +138,19 @@ users.users."gunalx".openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEj+Y0RUrSaF8gUW8m2BY6i8e7/0bUWhu8u8KW+AoHDh gunalx@nixos"
  ];

-  #fail2ban
-  services.fail2ban = {
-    enable = true;
-    maxretry = 5;
-    ignoreIP = [
-      "127.0.0.0/8" 
-      "10.0.0.0/8" 
-      "100.64.0.0/8" 
-      "172.16.0.0/12"
-      "192.168.0.0/16"
-      "8.8.8.8"
-    ];
-  };
+  #fail2ban moved to service file
+  #services.fail2ban = {
+  #  enable = true;
+  #  maxretry = 5;
+  #  ignoreIP = [
+  #     "127.0.0.0/8" 
+  #     "10.0.0.0/8" 
+  #     "100.64.0.0/8" 
+  #     "172.16.0.0/12"
+  #     "192.168.0.0/16"
+  #     "8.8.8.8"
+  #   ];
+  # };

  #firewall options
  networking.firewall = {
--- a/profiles/base.nix
+++ b/profiles/base.nix
@ -3,7 +3,7 @@
 imports =
    [ 
      ../packages/vim.nix
-      ./sops.nix
+      ../services/ssh.nix
    ];

  #nix stuff
--- a/profiles/webhost.nix
+++ b/profiles/webhost.nix
@ -0,0 +1,12 @@
+{ config, pkgs, lib, ... }:
+{
+imports =
+    [ 
+      ./base.nix
+      ./sops.nix
+      ../services/nginx.nix
+      #../services/authelia.nix
+      ../services/fail2ban.nix
+    ];
+
+}
--- a/services/fail2ban.nix
+++ b/services/fail2ban.nix
@ -0,0 +1,71 @@
+{ config, pkgs, lib, ... }:
+{
+#fail2ban
+  services.fail2ban = {
+    enable = true;
+    maxretry = 10;
+
+    #ignore local ips
+    ignoreIP = [
+      "127.0.0.0/8" 
+      "10.0.0.0/8" 
+      "100.64.0.0/8" 
+      "172.16.0.0/12"
+      "192.168.0.0/16"
+      "8.8.8.8"
+    ];
+    jails = {
+      nginx-http-auth = ''
+        enabled  = true
+        port     = http,https
+        logpath  = /var/log/nginx/*.log
+        backend  = polling
+        journalmatch =
+      '';
+      nginx-botsearch = ''
+        enabled  = true
+        port     = http,https
+        logpath  = /var/log/nginx/*.log
+        backend  = polling
+        journalmatch =
+      '';
+      nginx-bad-request = ''
+        enabled  = true
+        port     = http,https
+        logpath  = /var/log/nginx/*.log
+        backend  = polling
+        journalmatch =
+      '';
+      authelia = ''
+        enabled  = true
+        port     = http,https
+      '';
+    };
+  };
+
+
+
+  environment.etc = {
+      "fail2ban/filter.d/authelia.conf".text = ''
+         # Fail2Ban filter for Authelia
+   
+         # Make sure that the HTTP header "X-Forwarded-For" received by Authelia's backend
+         # only contains a single IP address (the one from the end-user), and not the proxy chain
+         # (it is misleading: usually, this is the purpose of this header).
+   
+         # the failregex rule counts every failed 1FA attempt (first line, wrong username or password) and failed 2FA attempt
+         # second line) as a failure.
+         # the ignoreregex rule ignores debug, info and warning messages as all authentication failures are flagged as errors
+   
+         [Definition]
+         failregex = ^.*Unsuccessful 1FA authentication attempt by user .*remote_ip="?<HOST>"? stack.*
+                     ^.*Unsuccessful (TOTP|Duo|U2F) authentication attempt by user .*remote_ip="?<HOST>"? stack.*
+   
+         ignoreregex = ^.*level=debug.*
+                       ^.*level=info.*
+                       ^.*level=warning.*
+   
+        journalmatch = _SYSTEMD_UNIT=authelia-main.service + _COMM=authelia
+      '';
+    };
+}
--- a/services/nginx.nix
+++ b/services/nginx.nix
@ -42,20 +42,25 @@
    recommendedGzipSettings = true;
    recommendedOptimisation = true;

+    logError = "syslog:server=unix:/dev/log";
+    commonHttpConfig = ''
+     access_log syslog:server=unix:/dev/log;
+    '';

-    virtualHosts.${"managment.funn-nas.lauterer.it"} = {
+
+    virtualHosts."managment.funn-nas.lauterer.it" = {
      forceSSL = true;
-      useACMEHost = "${config.networking.domain}";
+      useACMEHost = config.networking.domain;
      locations."/" = {
        proxyWebsockets = true;
-        proxyPass = "http://100.104.182.48";
+        proxyPass = "https://100.104.182.48";
      };
      basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
    };

-    virtualHosts.${"funn-nas.lauterer.it"} = {
+    virtualHosts."funn-nas.lauterer.it" = {
      forceSSL = true;
-      useACMEHost = "${config.networking.domain}";
+      useACMEHost = config.networking.domain;
      locations."/" = {
        proxyWebsockets = true;
        proxyPass = "https://100.104.182.48:30044";