diff options
| author | schererleander <leander@schererleander.de> | 2025-10-24 10:44:00 +0200 |
|---|---|---|
| committer | schererleander <leander@schererleander.de> | 2025-10-24 10:44:00 +0200 |
| commit | 2e4ca773ff0d45ad6a108611148aae52d127a74a (patch) | |
| tree | 0742ee5181bfad50268cfa398c99ce3d2367abc1 | |
| parent | f05c4411a25d194ab0395d2d14db6f222161d35a (diff) | |
setup filter for nextcloud jail
| -rw-r--r-- | hosts/sachiel/configuration.nix | 25 |
1 files changed, 13 insertions, 12 deletions
diff --git a/hosts/sachiel/configuration.nix b/hosts/sachiel/configuration.nix index c527a1d..9af8143 100644 --- a/hosts/sachiel/configuration.nix +++ b/hosts/sachiel/configuration.nix @@ -85,14 +85,15 @@ }; }; - environment.etc = { + environment.etc = { # Adapted failregex for syslogs "fail2ban/filter.d/nextcloud.local".text = pkgs.lib.mkDefault ( pkgs.lib.mkAfter '' [Definition] - failregex = ^.*"remoteAddr":"<HOST>".*"message":"Login failed: (?P<failure-id>.*)",.* - ^.*"remoteAddr":"<HOST>".*"message":"Two-factor challenge failed: (?P<failure-id>.*)",.* - ^.*"remoteAddr":"<HOST>".*"message":"Trusted domain error\.(?P<failure-id>.*)",.* + _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) + failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed: + ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error. + datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" '' ); }; @@ -120,14 +121,14 @@ recommendedProxySettings = true; recommendedTlsSettings = true; appendHttpConfig = '' - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - #add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self';" always; - add_header 'Referrer-Policy' 'same-origin'; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self';" always; + add_header 'Referrer-Policy' 'same-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; ''; virtualHosts."cloud.schererleander.de" = { |