updates

2024-09-12 17:34:11 -05:00
parent 3a7edf277f
commit 1f4010eb89
8 changed files with 225 additions and 129 deletions
--- a/modules/services/caddy/default.nix
+++ b/modules/services/caddy/default.nix
@@ -0,0 +1,22 @@
+{ ... }:
+let
+  collaboraPort = "9980";
+  nextcloudPort = "9981";
+  jellyfinPort = "";
+in
+{
+  services.caddy = {
+    enable = true;
+    enableReload = true;
+    email = "jalle008@proton.me";
+    user = "nix-apps";
+    group = "jallen-nas";
+    dataDir = "/media/ssd/nix-app-data/caddy";
+
+    virtualHosts."hass.mjallen.dev".extraConfig = ''
+      reverse_proxy http://10.0.1.183:8126
+    '';
+
+
+  };
+}
--- a/modules/services/fail2ban/default.nix
+++ b/modules/services/fail2ban/default.nix
@@ -0,0 +1,97 @@
+{ pkgs, ... }:
+{
+  services.fail2ban = {
+    enable = true;
+   # Ban IP after 5 failures
+    maxretry = 5;
+    ignoreIP = [
+      # Whitelist subnet
+      "10.0.1.0/24"
+      # "8.8.8.8" # whitelist a specific IP
+      # "nixos.wiki" # resolve the IP via DNS
+    ];
+    bantime = "24h"; # Ban IPs for one day on the first ban
+    bantime-increment = {
+      enable = true; # Enable increment of bantime after each violation
+      formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+      multipliers = "1 2 4 8 16 32 64";
+      maxtime = "168h"; # Do not ban for more than 1 week
+      overalljails = true; # Calculate the bantime based on all the violations
+    };
+    jails = {
+      apache-nohome-iptables.settings = {
+        # Block an IP address if it accesses a non-existent
+        # home directory more than 5 times in 10 minutes,
+        # since that indicates that it's scanning.
+        filter = "apache-nohome";
+        action = ''iptables-multiport[name=HTTP, port="http,https"]'';
+        logpath = "/var/log/httpd/error_log*";
+        backend = "auto";
+        findtime = 600;
+        bantime  = 600;
+        maxretry = 5;
+      };
+
+      ngnix-url-probe.settings = { 
+        enabled = true;
+        filter = "nginx-url-probe";
+        logpath = "/var/log/nginx/access.log";
+        action = ''%(action_)s[blocktype=DROP]
+                 ntfy'';
+        backend = "auto"; # Do not forget to specify this if your jail uses a log file
+        maxretry = 5; 
+        findtime = 600;
+      };
+
+      nginx-http-auth.settings = {
+        enabled = true;
+        filter = "nginx-http-auth";
+        port = "http,https";
+        logpath = "/var/log/httpd/error_log*";
+      };
+
+      nginx-badbots.settings = {
+        enabled = true;
+        filter = "nginx-badbots";
+        port = "http,https";
+        logpath = "/var/log/nginx/access.log";
+        maxretry = 2;
+      };
+
+      nginx-botsearch.settings = {
+        enabled = true;
+        filter = "nginx-botsearch";
+        port = "http,https";
+        logpath = "/var/log/nginx/access.log";
+      };
+
+      nginx-deny.settings = {
+        enabled = true;
+        filter = "nginx-deny";
+        port = "http,https";
+        logpath = "/var/log/nginx/access.log";
+      };
+
+      nginx-unauthorized.settings = {
+        enabled = true;
+        filter = "nginx-unauthorized";
+        port = "http,https";
+        logpath = "/var/log/nginx/access.log";
+      };
+    };
+  };
+
+  environment.etc = {
+    # Define an action that will trigger a Ntfy push notification upon the issue of every new ban
+    # "fail2ban/action.d/ntfy.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+    #   [Definition]
+    #   norestored = true # Needed to avoid receiving a new notification after every restart
+    #   actionban = curl -H "Title: <ip> has been banned" -d "<name> jail has banned <ip> from accessing $(hostname) after <failures> attempts of hacking the system." https://ntfy.sh/Fail2banNotifications
+    # '');
+    # Defines a filter that detects URL probing by reading the Nginx access log
+    "fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+      [Definition]
+      failregex = ^<HOST>.*(GET /(wp-|admin|boaform|phpmyadmin|\.env|\.git)|\.(dll|so|cfm|asp)|(\?|&)(=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000|=PHPE9568F36-D428-11d2-A769-00AA001ACF42|=PHPE9568F35-D428-11d2-A769-00AA001ACF42|=PHPE9568F34-D428-11d2-A769-00AA001ACF42)|\\x[0-9a-zA-Z]{2})
+    '');
+  };
+}
--- a/modules/services/jellyfin/default.nix
+++ b/modules/services/jellyfin/default.nix
@@ -0,0 +1,17 @@
+{ pkgs, ... }:
+{
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+    user = "nix-apps";
+    group = "jallen-nas";
+    dataDir = "/media/nas/ssd/nix-app-data/jellyfin/data";
+    configDir = "/media/nas/ssd/nix-app-data/jellyfin/config";
+  };
+
+  environment.systemPackages = [
+    pkgs.jellyfin
+    pkgs.jellyfin-web
+    pkgs.jellyfin-ffmpeg
+  ];
+}
--- a/modules/services/nextcloud/default.nix
+++ b/modules/services/nextcloud/default.nix
@@ -0,0 +1,128 @@
+{ config, ... }:
+let
+  adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path;
+  dbpass = config.sops.secrets."jallen-nas/nextcloud/dbpassword".path;
+  smtppassword = config.sops.templates."nextcloud-smtp".content;
+in
+{
+  containers.nextcloud = {
+    autoStart = true;
+    privateNetwork = true;
+    # hostAddress = "127.0.0.1";
+    # localAddress = "10.233.0.2";
+    # hostAddress6 = "fc00::1";
+    # localAddress6 = "fc00::2";
+    # hostForward = [
+    #   {
+    #     hostPort = 9943;
+    #     containerPort = 80;
+    #   }
+    # ];
+
+    hostBridge = "br0";
+
+    bindMounts = {
+      secrets = {
+        hostPath = "/run/secrets/jallen-nas/nextcloud";
+        isReadOnly = true;
+        mountPoint = "/run/secrets/jallen-nas/nextcloud";
+      };
+
+      data = {
+        hostPath = "/media/nas/main/nextcloud";
+        isReadOnly = false;
+        mountPoint = "/data";
+      };
+    };
+
+    config =
+      { pkgs, lib, ... }:
+      {
+        services = {
+          nextcloud = {
+            enable = true;
+            package = pkgs.nextcloud29;
+            datadir = "/data";
+            hostName = "localhost";
+            appstoreEnable = true;
+            caching.redis = true;
+            configureRedis = true;
+            config = {
+              adminuser = "mjallen";
+              adminpassFile = adminpass;
+              dbhost = "10.0.1.18:3306";
+              dbtype = "mysql";
+              dbname = "jallen_nextcloud";
+              dbuser = "nextcloud";
+              dbpassFile = dbpass;
+            };
+            settings = {
+              trusted_domains = [
+                "10.0.1.18:9980"
+                "10.0.1.18:9943"
+                "cloud.mjallen.dev"
+              ];
+              trusted_proxies = [ "10.0.1.18" ];
+              maintenance_window_start = 6;
+              default_phone_region = "US";
+              mail_from_address = "matt.l.jallen";
+              mail_smtpmode = "smtp";
+              mail_sendmailmode = "smtp";
+              mail_domain = "gmail.com";
+              mail_smtpauth = 1;
+              mail_smtpname = "matt.l.jallen";
+              mail_smtppassword = smtppassword;
+              mail_smtpsecure = "ssl";
+              mail_smtphost = "smtp.gmail.com";
+              mail_smtpport = 465;
+              enable_previews = true;
+              enabledPreviewProviders = [
+                "OC\\\\Preview\\\\PNG"
+                "OC\\\\Preview\\\\JPEG"
+                "OC\\\\Preview\\\\GIF"
+                "OC\\\\Preview\\\\BMP"
+                "OC\\\\Preview\\\\XBitmap"
+                "OC\\\\Preview\\\\MP3"
+                "OC\\\\Preview\\\\TXT"
+                "OC\\\\Preview\\\\MarkDown"
+                "OC\\\\Preview\\\\OpenDocument"
+                "OC\\\\Preview\\\\Krita"
+                "OC\\\\Preview\\\\HEIC"
+              ];
+            };
+          };
+
+          nginx = {
+            enable = true;
+            virtualHosts = {
+              "nextcloud-container.local" = {
+                # Change this to the desired port number
+                listen = [
+                  {
+                    addr = "0.0.0.0";
+                    port = 9943;
+                  }
+                ];
+
+                root = "/var/www/nextcloud";
+
+                # You may need to adjust other options for your specific setup
+              };
+            };
+          };
+        };
+        system.stateVersion = "23.11";
+        networking = {
+          firewall = {
+            enable = true;
+            allowedTCPPorts = [ 9943 ];
+          };
+          # Use systemd-resolved inside the container
+          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+          useHostResolvConf = lib.mkForce false;
+        };
+        services.resolved.enable = true;
+
+      };
+  };
+}