added ssh jail

fix: fail2ban config & try to fix extraApps problem
fix: use nextcloud30 pkgs
2025-01-18 13:29:32 +01:00 · 2024-12-27 14:34:19 +01:00 · 2024-12-27 14:25:14 +01:00 · 2024-12-27 14:17:56 +01:00 · 2024-12-27 14:09:17 +01:00 · 2024-12-27 14:07:00 +01:00
7 changed files with 56 additions and 31 deletions
--- a/features/shared/ssh.nix
+++ b/features/shared/ssh.nix
@ -8,4 +8,14 @@
      PermitRootLogin = "no";
    };
  };
+
+  services.fail2ban.jails.sshd.settings = {
+    ssh = ''
+    enabled = true
+    port = ssh
+    filter = sshd
+    logpath = %(sshd_log)s
+    maxretry = 5
+    '';
+  };
 }
--- a/hosts/sisyphe/configuration.nix
+++ b/hosts/sisyphe/configuration.nix
@ -142,6 +142,11 @@ in
    "dotnet-sdk-wrapped-6.0.428"
  ];

+  # seems like sabnzbd needs some unfree pkgs...
+  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+    "unrar"
+  ];
+

  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
--- a/hosts/sisyphe/features/fail2ban.nix
+++ b/hosts/sisyphe/features/fail2ban.nix
@ -4,6 +4,25 @@
    enable = true;
    ignoreIP = [ "192.168.1.0/24" ];
    extraPackages = [ ];
-    jails = { };
+    jails = {
+      nextcloud = ''
+        enabled = true;
+        filter = nextcloud
+        port = http,https
+      '';
     };
+  };
+
+  environment.etc = {
+      "fail2ban/filter.d/nextcloud.conf".text = ''
+        [Definition]
+        _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+        datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
+        failregex = ^[^{]*\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+                    ^[^{]*\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
+                    ^[^{]*\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Two-factor challenge failed:
+        journalmatch = _SYSTEMD_UNIT=phpfpm-nextcloud.service
+      '';
+    };
+
 }
--- a/hosts/sisyphe/features/multimedia/default.nix
+++ b/hosts/sisyphe/features/multimedia/default.nix
@ -3,6 +3,7 @@
    ./arr-suite.nix
    ./calibre-web.nix
    ./slskd.nix
+    ./sabnzbd.nix
    ./transmission.nix
    ./jellyfin.nix
  ];
--- a/hosts/sisyphe/features/multimedia/sabnzbd.nix
+++ b/hosts/sisyphe/features/multimedia/sabnzbd.nix
@ -0,0 +1,18 @@
+{config, pkgs, ...}:
+{
+  services.sabnzbd = {
+    enable = true;
+
+  };
+
+  services.caddy.virtualHosts."http://sabnzbd.normandy.sisyphe.hypervirtual.world".extraConfig = ''
+  reverse_proxy 8080
+  ''; 
+/*
+  services.prometheus.exporters.sabnzbd = {
+    enable = true;
+    servers = [
+      localhost
+    ]
+  };*/
+}
--- a/hosts/sisyphe/features/samba-shares.nix
+++ b/hosts/sisyphe/features/samba-shares.nix
@ -16,7 +16,6 @@ in
  config = {
    services.samba = {
      enable = true;
-      securityType = "user";
      openFirewall = true;
      settings = {
        global = {
--- a/hosts/sisyphe/features/services/nextcloud.nix
+++ b/hosts/sisyphe/features/services/nextcloud.nix
@ -25,6 +25,7 @@
    database.createLocally = true;
    webserver = "caddy";
    configureRedis = true;
+    package = pkgs.nextcloud30;
    config = {
      dbtype = "pgsql";
      adminpassFile = config.sops.secrets.adminNextcloudPass.path;
@ -62,37 +63,9 @@
    ];

    phpOptions."opcache.interned_strings_buffer" = "23";
-    extraApps = {
-      inherit (config.services.nextcloud.package.packages.apps)
-        contacts
-        calendar
-        previewgenerator
-        twofactor_nextcloud_notification
-        ;
-
-      memories = pkgs.fetchNextcloudApp {
-        sha256 = "sha256-tzxeffvwMwthvBRG+/cLCXZkVS32rlf5v7XOKTbGoOo=";
-        url = "https://github.com/pulsejet/memories/releases/download/v7.3.1/memories.tar.gz";
-        license = "agpl3Only";
-      };
-      /*
-        not useful for me
-           registration = pkgs.fetchNextcloudApp {
-             sha256 = "sha256-dDaQHyHdkkd8ZammLdck2HNGqqfEaunwevdPzbWzB8Y=";
-             url = "https://github.com/nextcloud-releases/registration/releases/download/v2.4.0/registration-v2.4.0.tar.gz";
-             license = "agpl3Only";
-           };
-      */
-      facerecognition = pkgs.fetchNextcloudApp {
-        sha256 = "sha256-FtYItN0Iy2QpSNf0GPs7fIPYgBdEuKHJGwZ7GQNySZE=";
-        url = "https://github.com/matiasdelellis/facerecognition/releases/download/v0.9.60/facerecognition.tar.gz";
-        license = "agpl3Only";
-      };
-
-    };
-    extraAppsEnable = true;
    appstoreEnable = true; # why i would want appstore to be disabled ???
    autoUpdateApps.enable = true;
+    cli.memoryLimit = "4G";
  };

  environment.systemPackages =
Author	SHA1	Message	Date
kity	c84a24c2ac	added ssh jail	2024-12-27 14:34:19 +01:00
kity	0b6399027c	fix: fail2ban config & try to fix extraApps problem	2024-12-27 14:25:14 +01:00
kity	2c17ed2d3e	fix: use nextcloud30 pkgs	2024-12-27 14:17:56 +01:00
kity	9414a560c0	fix: sabnzbd needs unfree pkg	2024-12-27 14:09:17 +01:00
kity	5c53e37af6	fix: 2fa does not seems to exists anymore on nc30??	2024-12-27 14:07:00 +01:00
kity	e045347a31	added missing file	2024-12-27 13:59:57 +01:00
kity	c8073d3055	fix: more changes due to nixos 24.11	2024-12-27 13:59:52 +01:00
kity	d1297eda99	feat: added sabnzbd support	2024-12-27 13:52:47 +01:00