Services: finalize and enable webdav

hosts/Hevana/default.nix

@@ -236,7 +236,7 @@ in
         };
       };
       webdav = {
-        enable = false;
+        enable = true;
         home = "${services-root}/webdav";
         url = config.secrets.services.webdav.url;
         users = config.secrets.services.webdav.users;

modules/services/webdav.nix

@@ -43,6 +43,7 @@ in
           port = port;
           scope = cfg.home;
           users = cfg.users;
+          behindProxy = true;
         };
       };
 
@@ -60,6 +61,32 @@ in
       };
     };
 
+    environment.etc = lib.mkIf config.services.fail2ban.enable {
+      "fail2ban/filter.d/webdav.conf".text = ''
+        [INCLUDES]
+        before = common.conf
+
+        [Definition]
+        # Failregex to match "invalid password" and extract remote_address only
+        failregex = ^.*invalid password\s*\{.*"remote_address":\s*"<HOST>"\s*\}
+
+        # Failregex to match "invalid username" and extract remote_address only (if applicable)
+        failregex += ^.*invalid username\s*\{.*"remote_address":\s*"<HOST>"\s*\}
+
+        ignoreregex =
+      '';
+
+      "fail2ban/jail.d/webdav.conf".text = ''
+        [webdav]
+        enabled = true
+        port = ${builtins.toString port}
+        filter = webdav
+        logpath = /var/log/webdav/fail2ban.log
+        banaction = iptables-allports
+        ignoreself = false
+      '';
+    };
+
     systemd.services = {
       webdav.unitConfig.RequiresMountsFor = cfg.home;
       nginx.wants = [ config.systemd.services.webdav.name ];