From fa799c9dda2ec1fdafb676dff482dd599d4121da Mon Sep 17 00:00:00 2001
From: Tom Hubrecht <tom@hubrecht.ovh>
Date: Tue, 28 Nov 2023 20:29:25 +0100
Subject: [PATCH] feat(modules): Deploy fail2ban

---
 machines/compute01/_configuration.nix         |  8 ++
 modules/default.nix                           |  1 +
 .../default.nix}                              |  5 +-
 modules/dgn-fail2ban/jails.nix                | 82 +++++++++++++++++++
 patches/default.nix                           |  7 ++
 5 files changed, 101 insertions(+), 2 deletions(-)
 rename modules/{dgn-fail2ban.nix => dgn-fail2ban/default.nix} (92%)
 create mode 100644 modules/dgn-fail2ban/jails.nix

diff --git a/machines/compute01/_configuration.nix b/machines/compute01/_configuration.nix
index c7d7c86..1b39850 100644
--- a/machines/compute01/_configuration.nix
+++ b/machines/compute01/_configuration.nix
@@ -4,6 +4,7 @@ lib.extra.mkConfig {
   enabledModules = [
     # List of modules to enable
     "dgn-dns"
+    "dgn-fail2ban"
     "dgn-web"
   ];
 
@@ -22,5 +23,12 @@ lib.extra.mkConfig {
     "zammad"
   ];
 
+  extraConfig = {
+    dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
+      "sshd-bruteforce"
+      "sshd-timeout"
+    ];
+  };
+
   root = ./.;
 }
diff --git a/modules/default.nix b/modules/default.nix
index 6047156..76b6998 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -40,6 +40,7 @@
     "dgn-acme"
     "dgn-console"
     "dgn-dns"
+    "dgn-fail2ban"
     "dgn-hardware"
     "dgn-network"
     "dgn-secrets"
diff --git a/modules/dgn-fail2ban.nix b/modules/dgn-fail2ban/default.nix
similarity index 92%
rename from modules/dgn-fail2ban.nix
rename to modules/dgn-fail2ban/default.nix
index 35131ab..f0fb01c 100644
--- a/modules/dgn-fail2ban.nix
+++ b/modules/dgn-fail2ban/default.nix
@@ -50,7 +50,8 @@ in {
   };
 
   config = mkIf cfg.enable {
-    dgn-fail2ban.jails = builtins.mapAttrs (_: j: j // { enabled = mkDefault false; })
+    dgn-fail2ban.jails =
+      builtins.mapAttrs (_: j: j // { enabled = mkDefault false; })
       (import ./jails.nix { });
 
     services.fail2ban = {
@@ -60,7 +61,7 @@ in {
 
       ignoreIP = [
         "10.0.0.0/8"
-        "125.199.0.0/16"
+        "129.199.0.0/16"
         "172.16.0.0/12"
         "192.168.0.0/16"
         "100.64.0.0/10"
diff --git a/modules/dgn-fail2ban/jails.nix b/modules/dgn-fail2ban/jails.nix
new file mode 100644
index 0000000..ec87fd6
--- /dev/null
+++ b/modules/dgn-fail2ban/jails.nix
@@ -0,0 +1,82 @@
+# Copyright Tom Hubrecht, (2023)
+#
+# Tom Hubrecht <tom@hubrecht.ovh>
+#
+# This software is a computer program whose purpose is to configure
+# machines and servers with NixOS.
+#
+# This software is governed by the CeCILL  license under French law and
+# abiding by the rules of distribution of free software.  You can  use,
+# modify and/ or redistribute the software under the terms of the CeCILL
+# license as circulated by CEA, CNRS and INRIA at the following URL
+# "http://www.cecill.info".
+#
+# As a counterpart to the access to the source code and  rights to copy,
+# modify and redistribute granted by the license, users are provided only
+# with a limited warranty  and the software's author,  the holder of the
+# economic rights,  and the successive licensors  have only  limited
+# liability.
+#
+# In this respect, the user's attention is drawn to the risks associated
+# with loading,  using,  modifying and/or developing or reproducing the
+# software by the user in light of its specific status of free software,
+# that may mean  that it is complicated to manipulate,  and  that  also
+# therefore means  that it is reserved for developers  and  experienced
+# professionals having in-depth computer knowledge. Users are therefore
+# encouraged to load and test the software's suitability as regards their
+# requirements in conditions enabling the security of their systems and/or
+# data to be ensured and,  more generally, to use and operate it in the
+# same conditions as regards security.
+#
+# The fact that you are presently reading this means that you have had
+# knowledge of the CeCILL license and that you accept its terms.
+
+_: {
+  nginx-spam = {
+    filter.Definition.failregex = ''
+      ^<HOST>.*GET.*(matrix/server|\.php|admin|wp\-).* HTTP/\d.\d\" 404.*$'';
+
+    settings = {
+      logpath = "/var/log/nginx/access.log";
+      backend = "auto";
+      maxretry = 500;
+      findtime = 60;
+    };
+  };
+
+  postfix-bruteforce = {
+    filter.Definition = {
+      failregex = "warning: [\\w\\.\\-]+\\[<HOST>\\]: SASL LOGIN authentication failed.*$";
+      journalmatch = "_SYSTEMD_UNIT=postfix.service";
+    };
+
+    settings = {
+      findtime = 600;
+      maxretry = 1;
+    };
+  };
+
+  sshd-bruteforce = {
+    filter.Definition = {
+      failregex = "pam_unix\\(sshd:auth\\): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ADDR>.*$";
+      journalmatch = "_SYSTEMD_UNIT=sshd.service";
+    };
+
+    settings = {
+      findtime = 600;
+      maxretry = 1;
+    };
+  };
+
+  sshd-timeout = {
+    filter.Definition = {
+      failregex = "fatal: Timeout before authentication for <ADDR>.*$";
+      journalmatch = "_SYSTEMD_UNIT=sshd.service";
+    };
+
+    settings = {
+      findtime = 600;
+      maxretry = 1;
+    };
+  };
+}
diff --git a/patches/default.nix b/patches/default.nix
index 7296f54..4c6e881 100644
--- a/patches/default.nix
+++ b/patches/default.nix
@@ -134,5 +134,12 @@
       id = 252318;
       hash = "sha256-lI5WYFlxKvava9e+eTI8ZGogIb3uPOLAWFrkxbSlCXI=";
     }
+
+    # nixos/fail2ban: RFC42-ize
+    {
+      id = 201907;
+      hash = "sha256-bkf37QTFgbnSz3s8QPm5Z+6rWVVOlDtISTR7FACEwMM=";
+      excludes = [ "nixos/doc/manual/" ];
+    }
   ];
 }