diff options
| author | schererleander <leander@schererleander.de> | 2025-10-24 10:19:27 +0200 |
|---|---|---|
| committer | schererleander <leander@schererleander.de> | 2025-10-24 10:19:27 +0200 |
| commit | 07b46e8eecfd0f1ce539b9dd17312a9d0ce272e8 (patch) | |
| tree | 65cc8dd5826b1aa4b16246dc5450f22c2438d85f | |
| parent | e6e1e3a2f1525e15c021b0db53f2aac7cabd6050 (diff) | |
feat: setup fail2ban jail for nextcloud; add X-XSS-Protection header
| -rw-r--r-- | hosts/sachiel/configuration.nix | 47 |
1 files changed, 38 insertions, 9 deletions
diff --git a/hosts/sachiel/configuration.nix b/hosts/sachiel/configuration.nix index 12ed70d..a7f4cbe 100644 --- a/hosts/sachiel/configuration.nix +++ b/hosts/sachiel/configuration.nix @@ -12,7 +12,7 @@ ]; boot.tmp.cleanOnBoot = true; - boot.loader.grub.configurationLimit = 2; + boot.loader.grub.configurationLimit = 2; zramSwap.enable = true; networking = { @@ -67,9 +67,37 @@ bantime = "1h"; }; }; + nextcloud = { + enabled = true; + settings = { + # START modification to work with syslog instead of logile + backend = "systemd"; + journalmatch = "SYSLOG_IDENTIFIER=Nextcloud"; + # END modification to work with syslog instead of logile + enabled = true; + port = 443; + protocol = "tcp"; + filter = "nextcloud"; + maxretry = 3; + bantime = 86400; + findtime = 43200; + }; + }; }; }; + environment.etc = { + # Adapted failregex for syslogs + "fail2ban/filter.d/nextcloud.local".text = pkgs.lib.mkDefault ( + pkgs.lib.mkAfter '' + [Definition] + failregex = ^.*"remoteAddr":"<HOST>".*"message":"Login failed: + ^.*"remoteAddr":"<HOST>".*"message":"Two-factor challenge failed: + ^.*"remoteAddr":"<HOST>".*"message":"Trusted domain error. + '' + ); + }; + services.openssh = { enable = true; ports = [ 8693 ]; @@ -93,14 +121,15 @@ recommendedProxySettings = true; recommendedTlsSettings = true; appendHttpConfig = '' - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - #add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self';" always; - add_header 'Referrer-Policy' 'same-origin'; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self';" always; + add_header 'Referrer-Policy' 'same-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; ''; virtualHosts."cloud.schererleander.de" = { |