mirror of
https://github.com/adrlau/nix-dotfiles.git
synced 2024-12-22 18:57:29 +01:00
moved fail2ban to service file added webhost profile
This commit is contained in:
parent
5910379de9
commit
eee0766421
@ -6,9 +6,9 @@
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
../../profiles/base.nix
|
||||
../../services/ssh.nix
|
||||
../../services/nginx.nix
|
||||
../../profiles/webhost.nix
|
||||
#../../services/ssh.nix
|
||||
#../../services/nginx.nix
|
||||
];
|
||||
|
||||
|
||||
@ -138,19 +138,19 @@ users.users."gunalx".openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEj+Y0RUrSaF8gUW8m2BY6i8e7/0bUWhu8u8KW+AoHDh gunalx@nixos"
|
||||
];
|
||||
|
||||
#fail2ban
|
||||
services.fail2ban = {
|
||||
enable = true;
|
||||
maxretry = 5;
|
||||
ignoreIP = [
|
||||
"127.0.0.0/8"
|
||||
"10.0.0.0/8"
|
||||
"100.64.0.0/8"
|
||||
"172.16.0.0/12"
|
||||
"192.168.0.0/16"
|
||||
"8.8.8.8"
|
||||
];
|
||||
};
|
||||
#fail2ban moved to service file
|
||||
#services.fail2ban = {
|
||||
# enable = true;
|
||||
# maxretry = 5;
|
||||
# ignoreIP = [
|
||||
# "127.0.0.0/8"
|
||||
# "10.0.0.0/8"
|
||||
# "100.64.0.0/8"
|
||||
# "172.16.0.0/12"
|
||||
# "192.168.0.0/16"
|
||||
# "8.8.8.8"
|
||||
# ];
|
||||
# };
|
||||
|
||||
#firewall options
|
||||
networking.firewall = {
|
||||
|
@ -3,7 +3,7 @@
|
||||
imports =
|
||||
[
|
||||
../packages/vim.nix
|
||||
./sops.nix
|
||||
../services/ssh.nix
|
||||
];
|
||||
|
||||
#nix stuff
|
||||
|
12
profiles/webhost.nix
Normal file
12
profiles/webhost.nix
Normal file
@ -0,0 +1,12 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
imports =
|
||||
[
|
||||
./base.nix
|
||||
./sops.nix
|
||||
../services/nginx.nix
|
||||
#../services/authelia.nix
|
||||
../services/fail2ban.nix
|
||||
];
|
||||
|
||||
}
|
71
services/fail2ban.nix
Normal file
71
services/fail2ban.nix
Normal file
@ -0,0 +1,71 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
#fail2ban
|
||||
services.fail2ban = {
|
||||
enable = true;
|
||||
maxretry = 10;
|
||||
|
||||
#ignore local ips
|
||||
ignoreIP = [
|
||||
"127.0.0.0/8"
|
||||
"10.0.0.0/8"
|
||||
"100.64.0.0/8"
|
||||
"172.16.0.0/12"
|
||||
"192.168.0.0/16"
|
||||
"8.8.8.8"
|
||||
];
|
||||
jails = {
|
||||
nginx-http-auth = ''
|
||||
enabled = true
|
||||
port = http,https
|
||||
logpath = /var/log/nginx/*.log
|
||||
backend = polling
|
||||
journalmatch =
|
||||
'';
|
||||
nginx-botsearch = ''
|
||||
enabled = true
|
||||
port = http,https
|
||||
logpath = /var/log/nginx/*.log
|
||||
backend = polling
|
||||
journalmatch =
|
||||
'';
|
||||
nginx-bad-request = ''
|
||||
enabled = true
|
||||
port = http,https
|
||||
logpath = /var/log/nginx/*.log
|
||||
backend = polling
|
||||
journalmatch =
|
||||
'';
|
||||
authelia = ''
|
||||
enabled = true
|
||||
port = http,https
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
|
||||
environment.etc = {
|
||||
"fail2ban/filter.d/authelia.conf".text = ''
|
||||
# Fail2Ban filter for Authelia
|
||||
|
||||
# Make sure that the HTTP header "X-Forwarded-For" received by Authelia's backend
|
||||
# only contains a single IP address (the one from the end-user), and not the proxy chain
|
||||
# (it is misleading: usually, this is the purpose of this header).
|
||||
|
||||
# the failregex rule counts every failed 1FA attempt (first line, wrong username or password) and failed 2FA attempt
|
||||
# second line) as a failure.
|
||||
# the ignoreregex rule ignores debug, info and warning messages as all authentication failures are flagged as errors
|
||||
|
||||
[Definition]
|
||||
failregex = ^.*Unsuccessful 1FA authentication attempt by user .*remote_ip="?<HOST>"? stack.*
|
||||
^.*Unsuccessful (TOTP|Duo|U2F) authentication attempt by user .*remote_ip="?<HOST>"? stack.*
|
||||
|
||||
ignoreregex = ^.*level=debug.*
|
||||
^.*level=info.*
|
||||
^.*level=warning.*
|
||||
|
||||
journalmatch = _SYSTEMD_UNIT=authelia-main.service + _COMM=authelia
|
||||
'';
|
||||
};
|
||||
}
|
@ -42,20 +42,25 @@
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
|
||||
logError = "syslog:server=unix:/dev/log";
|
||||
commonHttpConfig = ''
|
||||
access_log syslog:server=unix:/dev/log;
|
||||
'';
|
||||
|
||||
virtualHosts.${"managment.funn-nas.lauterer.it"} = {
|
||||
|
||||
virtualHosts."managment.funn-nas.lauterer.it" = {
|
||||
forceSSL = true;
|
||||
useACMEHost = "${config.networking.domain}";
|
||||
useACMEHost = config.networking.domain;
|
||||
locations."/" = {
|
||||
proxyWebsockets = true;
|
||||
proxyPass = "http://100.104.182.48";
|
||||
proxyPass = "https://100.104.182.48";
|
||||
};
|
||||
basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
|
||||
};
|
||||
|
||||
virtualHosts.${"funn-nas.lauterer.it"} = {
|
||||
virtualHosts."funn-nas.lauterer.it" = {
|
||||
forceSSL = true;
|
||||
useACMEHost = "${config.networking.domain}";
|
||||
useACMEHost = config.networking.domain;
|
||||
locations."/" = {
|
||||
proxyWebsockets = true;
|
||||
proxyPass = "https://100.104.182.48:30044";
|
||||
|
Loading…
Reference in New Issue
Block a user