From 5d9c2c07fe3f5733bd837aa2f61d29c5fff419e0 Mon Sep 17 00:00:00 2001 From: RGBCube Date: Mon, 15 Jan 2024 20:46:35 +0300 Subject: [PATCH] Add fail2ban jails for more services --- hosts/cube/grafana.nix | 5 +++++ hosts/cube/mail.nix | 12 ++++++++++++ hosts/cube/nextcloud.nix | 2 -- secrets/cube/password.mail.nextcloud.age | 5 ----- secrets/secrets.nix | 5 ++--- 5 files changed, 19 insertions(+), 10 deletions(-) delete mode 100644 secrets/cube/password.mail.nextcloud.age diff --git a/hosts/cube/grafana.nix b/hosts/cube/grafana.nix index 1c617b0..d9192e1 100644 --- a/hosts/cube/grafana.nix +++ b/hosts/cube/grafana.nix @@ -8,6 +8,11 @@ in serverSystemConfiguration { age.secrets."cube/password.grafana".owner = "grafana"; age.secrets."cube/password.mail.grafana".owner = "grafana"; + services.fail2ban.jails.grafana.settings = { + filter = "grafana"; + maxretry = 3; + }; + systemd.services.grafana.requires = [ "postgresql.service" ]; services.grafana = enabled { diff --git a/hosts/cube/mail.nix b/hosts/cube/mail.nix index 7ceba32..757eec1 100644 --- a/hosts/cube/mail.nix +++ b/hosts/cube/mail.nix @@ -20,6 +20,18 @@ in serverSystemConfiguration { }]; }]; + services.fail2ban.jails = { + dovecot.settings = { + filter = "dovecot"; + maxretry = 3; + }; + + postfix.settings = { + filter = "postfix"; + maxretry = 3; + }; + }; + services.kresd.listenPlain = lib.mkForce [ "[::]:53" "0.0.0.0:53" ]; services.redis.servers.rspamd.bind = "0.0.0.0"; diff --git a/hosts/cube/nextcloud.nix b/hosts/cube/nextcloud.nix index 22e8091..a1458a9 100644 --- a/hosts/cube/nextcloud.nix +++ b/hosts/cube/nextcloud.nix @@ -6,7 +6,6 @@ let fqdn = "cloud.${domain}"; in serverSystemConfiguration { age.secrets."cube/password.nextcloud".owner = "nextcloud"; - age.secrets."cube/password.mail.nextcloud".owner = "nextcloud"; systemd.services.nextcloud-setup.requires = [ "postgresql.service" ]; @@ -24,7 +23,6 @@ in serverSystemConfiguration { config.dbhost = "/run/postgresql"; config.dbtype = "pgsql"; - secretFile = config.age.secrets."cube/password.mail.nextcloud".path; extraOptions = { default_phone_region = "TR"; diff --git a/secrets/cube/password.mail.nextcloud.age b/secrets/cube/password.mail.nextcloud.age deleted file mode 100644 index edeeb8b..0000000 --- a/secrets/cube/password.mail.nextcloud.age +++ /dev/null @@ -1,5 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 +rZ0Tw Sum+2HU7J6lXA4gbBl+mYj2L+D4tqtjHGdMl2RHiNGY -8Kw+f0Fzl0jhhkm6EuLqVQNGpyRjZL3xK9ldXugOMZs ---- wGiZJTQeisiVaEClE23WnfnkHOf9tV56KbQks/2JrOs -_ͣ6 J/d :c {n)M7As1XQqx_*] ' \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index c6c04f4..bd023a7 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -11,10 +11,9 @@ rec { "cube/password.acme.age".publicKeys = [ keys.cube ]; - "cube/password.mail.grafana.age".publicKeys = [ keys.cube ]; - "cube/password.mail.nextcloud.age".publicKeys = [ keys.cube ]; - "cube/password.grafana.age".publicKeys = [ keys.cube ]; + "cube/password.mail.grafana.age".publicKeys = [ keys.cube ]; + "cube/password.nextcloud.age".publicKeys = [ keys.cube ]; "enka/password.hash.orhan.age".publicKeys = [ keys.rgbcube ];