From eee076642198795d41e5b4326b1ab781da97881b Mon Sep 17 00:00:00 2001 From: Adrian G L Date: Sun, 10 Dec 2023 21:14:55 +0100 Subject: [PATCH] moved fail2ban to service file added webhost profile --- machines/elrond/configuration.nix | 32 +++++++------- profiles/base.nix | 2 +- profiles/webhost.nix | 12 ++++++ services/fail2ban.nix | 71 +++++++++++++++++++++++++++++++ services/nginx.nix | 15 ++++--- 5 files changed, 110 insertions(+), 22 deletions(-) create mode 100644 profiles/webhost.nix create mode 100644 services/fail2ban.nix diff --git a/machines/elrond/configuration.nix b/machines/elrond/configuration.nix index b5e7602..112ece8 100644 --- a/machines/elrond/configuration.nix +++ b/machines/elrond/configuration.nix @@ -6,9 +6,9 @@ { imports = [ # Include the results of the hardware scan. - ../../profiles/base.nix - ../../services/ssh.nix - ../../services/nginx.nix + ../../profiles/webhost.nix + #../../services/ssh.nix + #../../services/nginx.nix ]; @@ -138,19 +138,19 @@ users.users."gunalx".openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEj+Y0RUrSaF8gUW8m2BY6i8e7/0bUWhu8u8KW+AoHDh gunalx@nixos" ]; - #fail2ban - services.fail2ban = { - enable = true; - maxretry = 5; - ignoreIP = [ - "127.0.0.0/8" - "10.0.0.0/8" - "100.64.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" - "8.8.8.8" - ]; - }; + #fail2ban moved to service file + #services.fail2ban = { + # enable = true; + # maxretry = 5; + # ignoreIP = [ + # "127.0.0.0/8" + # "10.0.0.0/8" + # "100.64.0.0/8" + # "172.16.0.0/12" + # "192.168.0.0/16" + # "8.8.8.8" + # ]; + # }; #firewall options networking.firewall = { diff --git a/profiles/base.nix b/profiles/base.nix index 4daa019..235d6dc 100644 --- a/profiles/base.nix +++ b/profiles/base.nix @@ -3,7 +3,7 @@ imports = [ ../packages/vim.nix - ./sops.nix + ../services/ssh.nix ]; #nix stuff diff --git a/profiles/webhost.nix b/profiles/webhost.nix new file mode 100644 index 0000000..2904924 --- /dev/null +++ b/profiles/webhost.nix @@ -0,0 +1,12 @@ +{ config, pkgs, lib, ... }: +{ +imports = + [ + ./base.nix + ./sops.nix + ../services/nginx.nix + #../services/authelia.nix + ../services/fail2ban.nix + ]; + +} diff --git a/services/fail2ban.nix b/services/fail2ban.nix new file mode 100644 index 0000000..4a8c69c --- /dev/null +++ b/services/fail2ban.nix @@ -0,0 +1,71 @@ +{ config, pkgs, lib, ... }: +{ +#fail2ban + services.fail2ban = { + enable = true; + maxretry = 10; + + #ignore local ips + ignoreIP = [ + "127.0.0.0/8" + "10.0.0.0/8" + "100.64.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" + "8.8.8.8" + ]; + jails = { + nginx-http-auth = '' + enabled = true + port = http,https + logpath = /var/log/nginx/*.log + backend = polling + journalmatch = + ''; + nginx-botsearch = '' + enabled = true + port = http,https + logpath = /var/log/nginx/*.log + backend = polling + journalmatch = + ''; + nginx-bad-request = '' + enabled = true + port = http,https + logpath = /var/log/nginx/*.log + backend = polling + journalmatch = + ''; + authelia = '' + enabled = true + port = http,https + ''; + }; + }; + + + + environment.etc = { + "fail2ban/filter.d/authelia.conf".text = '' + # Fail2Ban filter for Authelia + + # Make sure that the HTTP header "X-Forwarded-For" received by Authelia's backend + # only contains a single IP address (the one from the end-user), and not the proxy chain + # (it is misleading: usually, this is the purpose of this header). + + # the failregex rule counts every failed 1FA attempt (first line, wrong username or password) and failed 2FA attempt + # second line) as a failure. + # the ignoreregex rule ignores debug, info and warning messages as all authentication failures are flagged as errors + + [Definition] + failregex = ^.*Unsuccessful 1FA authentication attempt by user .*remote_ip="?"? stack.* + ^.*Unsuccessful (TOTP|Duo|U2F) authentication attempt by user .*remote_ip="?"? stack.* + + ignoreregex = ^.*level=debug.* + ^.*level=info.* + ^.*level=warning.* + + journalmatch = _SYSTEMD_UNIT=authelia-main.service + _COMM=authelia + ''; + }; +} diff --git a/services/nginx.nix b/services/nginx.nix index b59c923..ccb793c 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -42,20 +42,25 @@ recommendedGzipSettings = true; recommendedOptimisation = true; + logError = "syslog:server=unix:/dev/log"; + commonHttpConfig = '' + access_log syslog:server=unix:/dev/log; + ''; - virtualHosts.${"managment.funn-nas.lauterer.it"} = { + + virtualHosts."managment.funn-nas.lauterer.it" = { forceSSL = true; - useACMEHost = "${config.networking.domain}"; + useACMEHost = config.networking.domain; locations."/" = { proxyWebsockets = true; - proxyPass = "http://100.104.182.48"; + proxyPass = "https://100.104.182.48"; }; basicAuthFile = config.sops.secrets."nginx/defaultpass".path; }; - virtualHosts.${"funn-nas.lauterer.it"} = { + virtualHosts."funn-nas.lauterer.it" = { forceSSL = true; - useACMEHost = "${config.networking.domain}"; + useACMEHost = config.networking.domain; locations."/" = { proxyWebsockets = true; proxyPass = "https://100.104.182.48:30044";