Services: finalize and enable webdav

2024-11-02 11:53:13 -04:00 · 2024-11-02 11:53:13 -04:00 · 0242700eea
parent 15a76b612b
commit 0242700eea
3 changed files with 28 additions and 1 deletions
--- a/hosts/Hevana/default.nix
+++ b/hosts/Hevana/default.nix
@ -236,7 +236,7 @@ in
        };
      };
      webdav = {
-        enable = false;
+        enable = true;
        home = "${services-root}/webdav";
        url = config.secrets.services.webdav.url;
        users = config.secrets.services.webdav.users;
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
--- a/modules/services/webdav.nix
+++ b/modules/services/webdav.nix
@ -43,6 +43,7 @@ in
          port = port;
          scope = cfg.home;
          users = cfg.users;
+          behindProxy = true;
        };
      };

@ -60,6 +61,32 @@ in
      };
    };

+    environment.etc = lib.mkIf config.services.fail2ban.enable {
+      "fail2ban/filter.d/webdav.conf".text = ''
+        [INCLUDES]
+        before = common.conf
+
+        [Definition]
+        # Failregex to match "invalid password" and extract remote_address only
+        failregex = ^.*invalid password\s*\{.*"remote_address":\s*"<HOST>"\s*\}
+
+        # Failregex to match "invalid username" and extract remote_address only (if applicable)
+        failregex += ^.*invalid username\s*\{.*"remote_address":\s*"<HOST>"\s*\}
+
+        ignoreregex =
+      '';
+
+      "fail2ban/jail.d/webdav.conf".text = ''
+        [webdav]
+        enabled = true
+        port = ${builtins.toString port}
+        filter = webdav
+        logpath = /var/log/webdav/fail2ban.log
+        banaction = iptables-allports
+        ignoreself = false
+      '';
+    };
+
    systemd.services = {
      webdav.unitConfig.RequiresMountsFor = cfg.home;
      nginx.wants = [ config.systemd.services.webdav.name ];