tlaternet/tlaternet-server
1
0
Fork 0
Code Issues10 Pull requests Releases Activity

feat: Remove fail2ban

Browse source
This commit is contained in:
Tristan Daniël Maat 2025-01-24 00:34:25 +08:00
parent cf751d0199
commit 22981fdcdd
Signed by: tlater
GPG key ID: 49670FD774E43268
13 changed files with 4 additions and 255 deletions

1
configuration/default.nix
View file

@ -18,7 +18,6 @@
./services/backups.nix
./services/battery-manager.nix
./services/conduit.nix
./services/fail2ban.nix
./services/foundryvtt.nix
./services/gitea.nix
./services/metrics

43
configuration/services/fail2ban.nix
View file

@ -1,43 +0,0 @@
{ pkgs, ... }:
{
services.fail2ban = {
enable = true;
extraPackages = [ pkgs.ipset ];
banaction = "iptables-ipset-proto6-allports";
bantime-increment.enable = true;
jails = {
nginx-botsearch = ''
enabled = true
logpath = /var/log/nginx/access.log
'';
};
ignoreIP = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
];
};
# Allow metrics services to connect to the socket as well
users.groups.fail2ban = { };
systemd.services.fail2ban.serviceConfig = {
ExecStartPost =
"+"
+ (pkgs.writeShellScript "fail2ban-post-start" ''
while ! [ -S /var/run/fail2ban/fail2ban.sock ]; do
sleep 1
done
while ! ${pkgs.netcat}/bin/nc -zU /var/run/fail2ban/fail2ban.sock; do
sleep 1
done
${pkgs.coreutils}/bin/chown root:fail2ban /var/run/fail2ban /var/run/fail2ban/fail2ban.sock
${pkgs.coreutils}/bin/chmod 660 /var/run/fail2ban/fail2ban.sock
${pkgs.coreutils}/bin/chmod 710 /var/run/fail2ban
'');
};
}

18
configuration/services/gitea.nix
View file

@ -59,24 +59,6 @@ in
};
};
# Block repeated failed login attempts
#
# TODO(tlater): Update this - we switched to forgejo, who knows what
# the new matches are.
# environment.etc = {
# "fail2ban/filter.d/gitea.conf".text = ''
# [Definition]
# failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
# journalmatch = _SYSTEMD_UNIT=forgejo.service + _COMM=forgejo + SYSLOG_IDENTIFIER=forgejo
# '';
# };
# services.fail2ban.jails = {
# gitea = ''
# enabled = true
# '';
# };
services.backups.forgejo = {
user = "forgejo";
paths = [

28
configuration/services/metrics/exporters.nix
View file

@ -68,34 +68,6 @@ in
};
};
extraExporters = {
fail2ban =
let
cfg = config.services.prometheus.extraExporters.fail2ban;
in
{
port = 9191;
serviceOpts = {
after = [ "fail2ban.service" ];
requires = [ "fail2ban.service" ];
serviceConfig = {
Group = "fail2ban";
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
];
ExecStart = lib.concatStringsSep " " [
"${pkgs.local.prometheus-fail2ban-exporter}/bin/fail2ban-prometheus-exporter"
"--collector.f2b.socket=/var/run/fail2ban/fail2ban.sock"
"--web.listen-address='${cfg.listenAddress}:${toString cfg.port}'"
"--collector.f2b.exit-on-socket-connection-error=true"
];
};
};
};
};
# TODO(tlater):
# - wireguard (?)
# - postgres (?)

1
configuration/services/metrics/options.nix
View file

@ -12,6 +12,7 @@ in
options = {
services.prometheus = {
extraExporters = mkOption {
default = { };
type = types.attrsOf (
types.submodule {
options = {

23
configuration/services/nextcloud.nix
View file

@ -70,29 +70,6 @@ in
# The upstream module already adds HSTS
};
# Block repeated failed login attempts
environment.etc = {
"fail2ban/filter.d/nextcloud.conf".text = ''
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
journalmatch = SYSLOG_IDENTIFIER=Nextcloud
'';
};
services.fail2ban.jails = {
nextcloud = ''
enabled = true
# Nextcloud does some throttling already, so we need to set
# these to something bigger.
findtime = 43200
bantime = 86400
'';
};
services.backups.nextcloud = {
user = "nextcloud";
paths = [