From 20ee47caa2f397ab5459b481cee1022660576474 Mon Sep 17 00:00:00 2001
From: danny <danny10132024@gmail.com>
Date: Fri, 26 Sep 2025 20:47:19 +0800
Subject: [PATCH] security: add fail2ban

---
 system/dev/dn-server/default.nix      |  2 +
 system/dev/dn-server/security.nix     | 13 +++++++
 system/modules/fail2ban.nix           | 55 +++++++++++++++++++++++++++
 system/modules/mail-server/server.nix |  2 +-
 4 files changed, 71 insertions(+), 1 deletion(-)
 create mode 100644 system/dev/dn-server/security.nix
 create mode 100644 system/modules/fail2ban.nix

diff --git a/system/dev/dn-server/default.nix b/system/dev/dn-server/default.nix
index 82e027d..e9f5112 100644
--- a/system/dev/dn-server/default.nix
+++ b/system/dev/dn-server/default.nix
@@ -18,6 +18,7 @@ in
       intel-bus-id = "PCI:0:2:0";
       nvidia-bus-id = "PCI:1:0:0";
     })
+    ./security.nix
     ./sops-conf.nix
     ./boot.nix
     ./hardware-configuration.nix
@@ -58,6 +59,7 @@ in
       dataBackupPath = "/mnt/backup_dn";
       dbBackupPath = "/mnt/backup_dn";
       adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
+      trusted = [ "nextcloud.daccc.info" ];
     })
     (import ../../modules/vaultwarden.nix {
       domain = "bitwarden.net.dn";
diff --git a/system/dev/dn-server/security.nix b/system/dev/dn-server/security.nix
new file mode 100644
index 0000000..6de9d48
--- /dev/null
+++ b/system/dev/dn-server/security.nix
@@ -0,0 +1,13 @@
+{
+  ...
+}:
+{
+  imports = [
+    (import ../../modules/fail2ban.nix {
+      extraAllowList = [
+        "10.0.0.0/24"
+        "122.117.215.55"
+      ];
+    })
+  ];
+}
diff --git a/system/modules/fail2ban.nix b/system/modules/fail2ban.nix
new file mode 100644
index 0000000..16725e8
--- /dev/null
+++ b/system/modules/fail2ban.nix
@@ -0,0 +1,55 @@
+{
+  extreAllowList ? [ ],
+  ...
+}:
+{
+
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    ignoreIP = [
+      "192.168.0.0/16"
+    ]
+    ++ extreAllowList;
+    bantime = "24h";
+    bantime-increment = {
+      enable = true;
+      multipliers = "8 64";
+      maxtime = "1y";
+      overalljails = true;
+    };
+    jails =
+      let
+        nginxLogPath = "/var/log/nginx/error.log*";
+      in
+      {
+        sshd.settings = {
+          logPath = "";
+          filter = "sshd";
+          action = ''nftables-multiport[name="sshd", port="ssh,30072"]'';
+          backend = "systemd";
+          findtime = 600;
+          bantime = 600;
+          maxretry = 5;
+        };
+        nginx-error-common.settings = {
+          logPath = nginxLogPath;
+          filter = "nginx-error-common";
+          action = ''nftables-multiport[name=HTTP, port="http,https"]'';
+          backend = "auto";
+          findtime = 600;
+          bantime = 600;
+          maxretry = 5;
+        };
+        nginx-forbidden.settings = {
+          logPath = nginxLogPath;
+          filter = "nginx-forbidden";
+          action = ''nftables-multiport[name=HTTP, port="http,https"]'';
+          backend = "auto";
+          findtime = 600;
+          bantime = 600;
+          maxretry = 5;
+        };
+      };
+  };
+}
diff --git a/system/modules/mail-server/server.nix b/system/modules/mail-server/server.nix
index bcc4ce0..9a4cbbf 100644
--- a/system/modules/mail-server/server.nix
+++ b/system/modules/mail-server/server.nix
@@ -292,7 +292,7 @@ in
           log_path = /dev/stderr
           log_debug = (category=auth-client) OR (event=auth_client_passdb_lookup_started)
 
-          auth_mechanisms = plain login oauthbearer
+          auth_mechanisms = plain login
           ssl = required
 
           service auth {