From b7a5d89ed2e02e948513c3f0887849001d6818af Mon Sep 17 00:00:00 2001
From: madmin <madmin@noreply.codeberg.org>
Date: Sun, 1 Sep 2024 16:05:39 +0200
Subject: [PATCH] feat(system/core, -||-/services): add security modules -
 firejail, firewall, fail2ban

---
 home/laozi/common/core/firejail.nix       | 34 ------------
 systems/common/core/networking.nix        |  7 +++
 systems/common/core/services/fail2ban.nix | 66 +++++++++++------------
 systems/common/core/services/firejail.nix | 36 ++++++++++++-
 4 files changed, 74 insertions(+), 69 deletions(-)
 delete mode 100644 home/laozi/common/core/firejail.nix
 create mode 100644 systems/common/core/networking.nix

diff --git a/home/laozi/common/core/firejail.nix b/home/laozi/common/core/firejail.nix
deleted file mode 100644
index 7f2face..0000000
--- a/home/laozi/common/core/firejail.nix
+++ /dev/null
@@ -1,34 +0,0 @@
-{ pkgs, ... }:
-{
-  programs.firejail = {
-    enable = true;
-    wrappedBinaries = {
-      librewolf = {
-        executable = "${pkgs.librewolf}/bin/librewolf";
-        profile = "${pkgs.firejail}/etc/firejail/librewolf.profile";
-        extraArgs = [
-          # Required for U2F USB stick
-          "--ignore=private-dev"
-          # Enforce dark mode
-          "--env=GTK_THEME=Adwaita:dark"
-          # Enable system notifications
-          "--dbus-user.talk=org.freedesktop.Notifications"
-        ];
-      };
-      signal-desktop = {
-        # Enable tray icon otherwise Signal window might be hidden
-        executable = "${pkgs.signal-desktop}/bin/signal-desktop --use-tray-icon";
-        profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
-        extraArgs = [
-          # Enforce dark mode
-          "--env=GTK_THEME=Adwaita:dark"
-          #TODO: Enable Wayland mode
-          #"--env=NIXOS_OZONE_WL=1"
-          # Allow tray icon (should be upstreamed into signal-desktop.profile)
-          "--dbus-user.talk=org.kde.StatusNotifierWatcher"
-        ];
-      };
-    };
-  };
-}
-
diff --git a/systems/common/core/networking.nix b/systems/common/core/networking.nix
new file mode 100644
index 0000000..4444662
--- /dev/null
+++ b/systems/common/core/networking.nix
@@ -0,0 +1,7 @@
+{ configVars, ... }: 
+{
+  networking.firewall = {
+    enable = true;
+    
+  };
+}
diff --git a/systems/common/core/services/fail2ban.nix b/systems/common/core/services/fail2ban.nix
index 7a6fdba..a7f9c88 100644
--- a/systems/common/core/services/fail2ban.nix
+++ b/systems/common/core/services/fail2ban.nix
@@ -1,7 +1,8 @@
 # http://web.archive.org/web/20240621185719/https://dataswamp.org/~solene/2022-10-02-nixos-fail2ban.html
+{ pkgs, ... }:
 {
   services.fail2ban = {
-    enable = true;
+    enable = false;
     ignoreIP = [
       "192.168.1.0/24"
     ]; 
@@ -10,35 +11,36 @@
     banaction = "iptables-ipset-proto6-allports";
   
   
-  jails = {
-
-    # max 6 failures in 600 seconds
-    "nginx-spam" = ''
-      enabled  = true
-      filter   = nginx-bruteforce
-      logpath = /var/log/nginx/access.log
-      backend = auto
-      maxretry = 6
-      findtime = 600
-    '';
-
-    # max 3 failures in 600 seconds
-    "postfix-bruteforce" = ''
-      enabled = true
-      filter = postfix-bruteforce
-      findtime = 600
-      maxretry = 3
-    '';
-
-    # max 10 failures in 600 seconds
-    "molly" = ''
-      enabled = true
-      filter = molly
-      findtime = 600
-      maxretry = 10
-      logpath = /var/log/molly-brown/access.log
-      backend = auto
-    '';
+    jails = {
+ 
+      # max 6 failures in 600 seconds
+      "nginx-spam" = ''
+        enabled  = true
+        filter   = nginx-bruteforce
+        logpath = /var/log/nginx/access.log
+        backend = auto
+        maxretry = 6
+        findtime = 600
+      '';
+ 
+      # max 3 failures in 600 seconds
+      "postfix-bruteforce" = ''
+        enabled = true
+        filter = postfix-bruteforce
+        findtime = 600
+        maxretry = 3
+      '';
+ 
+      # max 10 failures in 600 seconds
+      "molly" = ''
+        enabled = true
+        filter = molly
+        findtime = 600
+        maxretry = 10
+        logpath = /var/log/molly-brown/access.log
+        backend = auto
+      '';
+    };
   };
   environment.etc = {
     "fail2ban/filter.d/molly.conf".text = ''
@@ -58,7 +60,5 @@
     '';
   };
 
-
-
-  
 }
+
diff --git a/systems/common/core/services/firejail.nix b/systems/common/core/services/firejail.nix
index 569e214..b75d5a4 100644
--- a/systems/common/core/services/firejail.nix
+++ b/systems/common/core/services/firejail.nix
@@ -1,2 +1,34 @@
-{ pkgs, ... }:
-{ }
+{ config, lib, pkgs, ... }:
+{
+  programs.firejail = {
+    enable = true;
+    wrappedBinaries = {
+      librewolf = {
+        executable = "${pkgs.librewolf}/bin/librewolf";
+        profile = "${pkgs.firejail}/etc/firejail/librewolf.profile";
+        extraArgs = [
+          # Required for U2F USB stick
+          "--ignore=private-dev"
+          # Enforce dark mode
+          "--env=GTK_THEME=Adwaita:dark"
+          # Enable system notifications
+          "--dbus-user.talk=org.freedesktop.Notifications"
+        ];
+      };
+      signal-desktop = {
+        # Enable tray icon otherwise Signal window might be hidden
+        executable = "${pkgs.signal-desktop}/bin/signal-desktop --use-tray-icon";
+        profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
+        extraArgs = [
+          # Enforce dark mode
+          "--env=GTK_THEME=Adwaita:dark"
+          #TODO: Enable Wayland mode
+          #"--env=NIXOS_OZONE_WL=1"
+          # Allow tray icon (should be upstreamed into signal-desktop.profile)
+          "--dbus-user.talk=org.kde.StatusNotifierWatcher"
+        ];
+      };
+    };
+  };
+}
+