feat(systems,home / core): add firejail & fail2ban configs

2024-08-28 19:36:59 +02:00 · 2024-08-28 19:36:59 +02:00 · 5dafbc3a24
parent 9330e70fec
commit 5dafbc3a24
4 changed files with 104 additions and 0 deletions
--- a/home/laozi/common/core/firejail.nix
+++ b/home/laozi/common/core/firejail.nix
@ -0,0 +1,34 @@
+{ pkgs, ... }:
+{
+  programs.firejail = {
+    enable = true;
+    wrappedBinaries = {
+      librewolf = {
+        executable = "${pkgs.librewolf}/bin/librewolf";
+        profile = "${pkgs.firejail}/etc/firejail/librewolf.profile";
+        extraArgs = [
+          # Required for U2F USB stick
+          "--ignore=private-dev"
+          # Enforce dark mode
+          "--env=GTK_THEME=Adwaita:dark"
+          # Enable system notifications
+          "--dbus-user.talk=org.freedesktop.Notifications"
+        ];
+      };
+      signal-desktop = {
+        # Enable tray icon otherwise Signal window might be hidden
+        executable = "${pkgs.signal-desktop}/bin/signal-desktop --use-tray-icon";
+        profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
+        extraArgs = [
+          # Enforce dark mode
+          "--env=GTK_THEME=Adwaita:dark"
+          #TODO: Enable Wayland mode
+          #"--env=NIXOS_OZONE_WL=1"
+          # Allow tray icon (should be upstreamed into signal-desktop.profile)
+          "--dbus-user.talk=org.kde.StatusNotifierWatcher"
+        ];
+      };
+    };
+  };
+}
+
--- a/systems/common/core/services/default.nix
+++ b/systems/common/core/services/default.nix
@ -0,0 +1,4 @@
+{ configLib, ... }:
+{ 
+  import = (configLib.scanPaths ./.);
+}
--- a/systems/common/core/services/fail2ban.nix
+++ b/systems/common/core/services/fail2ban.nix
@ -0,0 +1,64 @@
+# http://web.archive.org/web/20240621185719/https://dataswamp.org/~solene/2022-10-02-nixos-fail2ban.html
+{
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [
+      "192.168.1.0/24"
+    ]; 
+  # needed to ban on IPv4 and IPv6 for all ports
+    extraPackages = [pkgs.ipset];
+    banaction = "iptables-ipset-proto6-allports";
+  
+  
+  jails = {
+
+    # max 6 failures in 600 seconds
+    "nginx-spam" = ''
+      enabled  = true
+      filter   = nginx-bruteforce
+      logpath = /var/log/nginx/access.log
+      backend = auto
+      maxretry = 6
+      findtime = 600
+    '';
+
+    # max 3 failures in 600 seconds
+    "postfix-bruteforce" = ''
+      enabled = true
+      filter = postfix-bruteforce
+      findtime = 600
+      maxretry = 3
+    '';
+
+    # max 10 failures in 600 seconds
+    "molly" = ''
+      enabled = true
+      filter = molly
+      findtime = 600
+      maxretry = 10
+      logpath = /var/log/molly-brown/access.log
+      backend = auto
+    '';
+  };
+  environment.etc = {
+    "fail2ban/filter.d/molly.conf".text = ''
+      [Definition]
+      failregex = <HOST>\s+(31|40|51|53).*$
+    '';
+
+    "fail2ban/filter.d/nginx-bruteforce.conf".text = ''
+      [Definition]
+      failregex = ^<HOST>.*GET.*(matrix/server|\.php|admin|wp\-).* HTTP/\d.\d\" 404.*$
+    '';
+
+    "fail2ban/filter.d/postfix-bruteforce.conf".text = ''
+      [Definition]
+      failregex = warning: [\w\.\-]+\[<HOST>\]: SASL LOGIN authentication failed.*$
+      journalmatch = _SYSTEMD_UNIT=postfix.service
+    '';
+  };
+
+
+
+  
+}
--- a/systems/common/core/services/firejail.nix
+++ b/systems/common/core/services/firejail.nix
@ -0,0 +1,2 @@
+{ pkgs, ... }:
+{ }