From 96e1a54638c98d64a3a38fd193844d6d5c3e66da Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sun, 22 Sep 2024 01:26:06 +0200
Subject: [PATCH 1/2] nixos: services: nextcloud: add fail2ban jail

---
 modules/nixos/services/nextcloud/default.nix | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix
index bb3169a..d173fc0 100644
--- a/modules/nixos/services/nextcloud/default.nix
+++ b/modules/nixos/services/nextcloud/default.nix
@@ -87,5 +87,25 @@ in
         "${config.services.nextcloud.home}/data/appdata_*/preview"
       ];
     };
+
+    services.fail2ban.jails = {
+      nextcloud = ''
+        enabled = true
+        filter = nextcloud
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/nextcloud.conf".text = ''
+        [Definition]
+        _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+        datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
+        failregex = ^[^{]*\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+                    ^[^{]*\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
+                    ^[^{]*\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Two-factor challenge failed:
+        journalmatch = _SYSTEMD_UNIT=phpfpm-nextcloud.service
+      '';
+    };
   };
 }

From a059828a587eb271d42656d8e315c083ff47b921 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sun, 22 Sep 2024 01:58:56 +0200
Subject: [PATCH 2/2] nixos: services: miniflux: add fail2ban jail

---
 modules/nixos/services/miniflux/default.nix | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/modules/nixos/services/miniflux/default.nix b/modules/nixos/services/miniflux/default.nix
index 5104c8b..400ae00 100644
--- a/modules/nixos/services/miniflux/default.nix
+++ b/modules/nixos/services/miniflux/default.nix
@@ -48,5 +48,21 @@ in
         inherit (cfg) port;
       };
     };
+
+    services.fail2ban.jails = {
+      miniflux = ''
+        enabled = true
+        filter = miniflux
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/miniflux.conf".text = ''
+        [Definition]
+        failregex = ^.*msg="[^"]*(Incorrect|Invalid) username or password[^"]*".*client_ip=<ADDR>
+        journalmatch = _SYSTEMD_UNIT=miniflux.service
+      '';
+    };
   };
 }