moved fail2ban to service file added webhost profile

machines/elrond/configuration.nix

@@ -6,9 +6,9 @@
 {
   imports =
     [ # Include the results of the hardware scan.
-      ../../profiles/base.nix
+      ../../profiles/webhost.nix
-      ../../services/ssh.nix
+      #../../services/ssh.nix
-      ../../services/nginx.nix
+      #../../services/nginx.nix
     ];
 
 
@@ -138,19 +138,19 @@ users.users."gunalx".openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEj+Y0RUrSaF8gUW8m2BY6i8e7/0bUWhu8u8KW+AoHDh gunalx@nixos"
   ];
 
-  #fail2ban
+  #fail2ban moved to service file
-  services.fail2ban = {
+  #services.fail2ban = {
-    enable = true;
+  #  enable = true;
-    maxretry = 5;
+  #  maxretry = 5;
-    ignoreIP = [
+  #  ignoreIP = [
-      "127.0.0.0/8" 
+  #     "127.0.0.0/8" 
-      "10.0.0.0/8" 
+  #     "10.0.0.0/8" 
-      "100.64.0.0/8" 
+  #     "100.64.0.0/8" 
-      "172.16.0.0/12"
+  #     "172.16.0.0/12"
-      "192.168.0.0/16"
+  #     "192.168.0.0/16"
-      "8.8.8.8"
+  #     "8.8.8.8"
-    ];
+  #   ];
-  };
+  # };
 
   #firewall options
   networking.firewall = {

profiles/base.nix

@@ -3,7 +3,7 @@
 imports =
     [ 
       ../packages/vim.nix
-      ./sops.nix
+      ../services/ssh.nix
     ];
 
   #nix stuff

profiles/webhost.nix

@@ -0,0 +1,12 @@
+{ config, pkgs, lib, ... }:
+{
+imports =
+    [ 
+      ./base.nix
+      ./sops.nix
+      ../services/nginx.nix
+      #../services/authelia.nix
+      ../services/fail2ban.nix
+    ];
+
+}

services/fail2ban.nix

@@ -0,0 +1,71 @@
+{ config, pkgs, lib, ... }:
+{
+#fail2ban
+  services.fail2ban = {
+    enable = true;
+    maxretry = 10;
+
+    #ignore local ips
+    ignoreIP = [
+      "127.0.0.0/8" 
+      "10.0.0.0/8" 
+      "100.64.0.0/8" 
+      "172.16.0.0/12"
+      "192.168.0.0/16"
+      "8.8.8.8"
+    ];
+    jails = {
+      nginx-http-auth = ''
+        enabled  = true
+        port     = http,https
+        logpath  = /var/log/nginx/*.log
+        backend  = polling
+        journalmatch =
+      '';
+      nginx-botsearch = ''
+        enabled  = true
+        port     = http,https
+        logpath  = /var/log/nginx/*.log
+        backend  = polling
+        journalmatch =
+      '';
+      nginx-bad-request = ''
+        enabled  = true
+        port     = http,https
+        logpath  = /var/log/nginx/*.log
+        backend  = polling
+        journalmatch =
+      '';
+      authelia = ''
+        enabled  = true
+        port     = http,https
+      '';
+    };
+  };
+
+
+
+  environment.etc = {
+      "fail2ban/filter.d/authelia.conf".text = ''
+         # Fail2Ban filter for Authelia
+   
+         # Make sure that the HTTP header "X-Forwarded-For" received by Authelia's backend
+         # only contains a single IP address (the one from the end-user), and not the proxy chain
+         # (it is misleading: usually, this is the purpose of this header).
+   
+         # the failregex rule counts every failed 1FA attempt (first line, wrong username or password) and failed 2FA attempt
+         # second line) as a failure.
+         # the ignoreregex rule ignores debug, info and warning messages as all authentication failures are flagged as errors
+   
+         [Definition]
+         failregex = ^.*Unsuccessful 1FA authentication attempt by user .*remote_ip="?<HOST>"? stack.*
+                     ^.*Unsuccessful (TOTP|Duo|U2F) authentication attempt by user .*remote_ip="?<HOST>"? stack.*
+   
+         ignoreregex = ^.*level=debug.*
+                       ^.*level=info.*
+                       ^.*level=warning.*
+   
+        journalmatch = _SYSTEMD_UNIT=authelia-main.service + _COMM=authelia
+      '';
+    };
+}

services/nginx.nix

@@ -42,20 +42,25 @@
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
 
+    logError = "syslog:server=unix:/dev/log";
+    commonHttpConfig = ''
+     access_log syslog:server=unix:/dev/log;
+    '';
 
-    virtualHosts.${"managment.funn-nas.lauterer.it"} = {
+
+    virtualHosts."managment.funn-nas.lauterer.it" = {
       forceSSL = true;
-      useACMEHost = "${config.networking.domain}";
+      useACMEHost = config.networking.domain;
       locations."/" = {
         proxyWebsockets = true;
-        proxyPass = "http://100.104.182.48";
+        proxyPass = "https://100.104.182.48";
       };
       basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
     };
 
-    virtualHosts.${"funn-nas.lauterer.it"} = {
+    virtualHosts."funn-nas.lauterer.it" = {
       forceSSL = true;
-      useACMEHost = "${config.networking.domain}";
+      useACMEHost = config.networking.domain;
       locations."/" = {
         proxyWebsockets = true;
         proxyPass = "https://100.104.182.48:30044";