From d9e4dbcb52cfa58d6fb418785c5574555196c97a Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Thu, 12 Jan 2023 15:28:40 +0800
Subject: [PATCH] hosts/plover: update fail2ban configuration

---
 hosts/plover/default.nix | 84 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 84 insertions(+)

diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix
index d395c4ae..8cedf93e 100644
--- a/hosts/plover/default.nix
+++ b/hosts/plover/default.nix
@@ -104,6 +104,90 @@ in
     cleanup.enable = true;
   };
 
+  services.fail2ban.jails = {
+    nginx-http-auth = "enabled = true";
+    nginx-botsearch = "enabled = true";
+
+    # Max retries are pretty much based from whether or not the jail is
+    # attached to a more important service.
+    vaultwarden-user = ''
+      enabled = true
+      backend = systemd
+      filter = vaultwarden-user[journalmatch='_SYSTEMD_UNIT=vaultwarden.service']
+      maxretry = 5
+    '';
+
+    vaultwarden-admin = ''
+      enabled = true
+      backend = systemd
+      filter = vaultwarden-admin[journalmatch='_SYSTEMD_UNIT=vaultwarden.service']
+      maxretry = 3
+    '';
+
+    keycloak = ''
+      enabled = true
+      backend = systemd
+      filter = keycloak[journalmatch='_SYSTEMD_UNIT=keycloak.service']
+      maxretry = 3
+    '';
+
+    gitea = ''
+      enabled = true
+      backend = systemd
+      filter = gitea[journalmatch='_SYSTEMD_UNIT=gitea.service']
+      maxretry = 8
+    '';
+  };
+
+  # Create some custom fail2ban filters.
+  environment.etc = {
+    "fail2ban/filter.d/vaultwarden-user.conf".text = ''
+      [Includes]
+      before = common.conf
+
+      # For more information, Vaultwarden knowledge base has a dedicated page
+      # for configuring fail2ban with the application (i.e.,
+      # https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup).
+      [Definition]
+      failregex = ^.*Username or password is incorrect\. Try again\. IP: <HOST>\. Username:.*$
+      ignoreregex =
+    '';
+
+    "fail2ban/filter.d/vaultwarden-admin.conf".text = ''
+      [Includes]
+      before = common.conf
+
+      # For more information, Vaultwarden knowledge base has a dedicated page
+      # for configuring fail2ban with the application (i.e.,
+      # https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup).
+      [Definition]
+      failregex = ^.*Invalid admin token\. IP: <HOST>.*$
+      ignoreregex =
+    '';
+
+    "fail2ban/filter.d/keycloak.conf".text = ''
+      [Includes]
+      before = common.conf
+
+      # This is based from the server administration guide at
+      # https://www.keycloak.org/docs/$VERSION/server_admin/index.html.
+      [Definition]
+      failregex = ^.*type=LOGIN_ERROR.*ipAddress=<HOST>.*$
+      ignoreregex =
+    '';
+
+    "fail2ban/filter.d/gitea.conf".text = ''
+      [Includes]
+      before = common.conf
+
+      # Thankfully, Gitea also has a dedicated page for configuring fail2ban
+      # for the service at https://docs.gitea.io/en-us/fail2ban-setup/
+      [Definition]
+      failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+      ignoreregex =
+    '';
+  };
+
   # DNS-related settings. This is nice for automating them putting DNS records
   # and other types of stuff.
   security.acme.defaults = {