Update to NixOS 23.11
Most of the release notes we have the luxury of not caring about, however
for some we needed to make changes
- postgresql ensurePermissions was deprecated. We have replaced it with a
combination of the new ensureDBOwner, and manual permissions grants
where that is not applicable
- fetchPypi should now be used at top-level. We used it once to install
jishaku for ClicksForms. We have replaced the usage. There should be a
broader conversation about the future of ClicksForms, but while
upgrading to 23.11 is probably not the time for that
- fail2ban configs for things we no longer run have been removed
Additionally, the following things were looked at in-detail and deemed
non-important
- passwordFile changes (we do not use passwords, at all)
- matrix changes (we believe this will need no module changes for our
use-case)
- nextcloud phpOptions changes (this may reintroduce some default PHP
options. We didn't realize we were clobbering them and consider this to
be a good thing)
- vaultwarden default host change (we already specify a host)
- RAID changes (neither a1d1 or a1d2 currently use software RAID)
- nixpkgs.config with external packages warnings (we don't use any
nixpkgs.config options, but if we did we could remove them and) keep
the same behavior
- nextcloud upgrade to 27 (we already use nextcloud 27)
- matrix workers and redis configuration (redis doesn't provide a benefit
outside of workers, our deployment is too small to need workers)
- several services have improved requirements. In particular, lots of
dependencies around postgres have been improved
We haven't yet updated mongodb, it may be a good idea to migrate to
ferretdb but this is better placed in a later change as migration will
require migrating all the data which will likely get messy
Change-Id: I8db3cc5bfa68bc591ef5e467e8c7de0cae30b300
Reviewed-on: https://git.clicks.codes/c/Clicks/NixFiles/+/122
Tested-by: Samuel Shuert <coded@clicks.codes>
Reviewed-by: Samuel Shuert <coded@clicks.codes>
diff --git a/modules/common/fail2ban.nix b/modules/common/fail2ban.nix
index 5368094..ef06f0a 100644
--- a/modules/common/fail2ban.nix
+++ b/modules/common/fail2ban.nix
@@ -1,74 +1,12 @@
{ config, ... }: {
services.fail2ban = {
enable = true;
- jails = {
- mailu-auth-fail = ''
- enabled = true
- backend = systemd
- filter = mailu-auth-fail
- bantime = 604800
- findtime = 600
- maxretry = 5
- '';
- mailu-auth-limit = ''
- enabled = true
- backend = systemd
- filter = mailu-auth-limit
- bantime = 604800
- findtime = 900
- maxretry = 15
- '';
- samba = ''
- filter=samba-filter
- enabled=true
- logpath=/var/log/messages
- maxretry=1
- findtime=600
- bantime=2592000
- '';
- };
banaction-allports = "iptables-allports";
banaction = config.services.fail2ban.banaction-allports;
- bantime = "24h";
bantime-increment = {
enable = true;
- rndtime = "1h";
+ rndtime = "5m";
overalljails = true;
- factor = "24";
};
};
- environment.etc = {
- "fail2ban/filter.d/mailu-auth-fail.conf".text = ''
- [Definition]
- failregex = ^\s?\S+ mailu\-front\[\d+\]: \S+ \S+ \[info\] \d+#\d+: \*\d+ client login failed: \"AUTH not supported\" while in http auth state, client: <HOST>, server:
- ignoreregex =
- journalmatch = CONTAINER_TAG=mailu-front
- '';
-
- "fail2ban/filter.d/mailu-auth-limit.conf".text = ''
- [Definition]
- failregex = : Authentication attempt from <HOST> has been rate-limited\.$
- ignoreregex =
- journalmatch = CONTAINER_TAG=mailu-admin
- '';
-
- "fail2ban/filter.d/samba-filter.conf".text = ''
- [Definition]
- # Honeypot file regex. The files in the honeypot folder MUST match this regex
- __honeypot_files_re=(-sync-decrypted\.)
-
- # Known ransomware extensions regex
- __known_ransom_extensions_re=(\.k$|\.encoderpass$|\.key$|\.ecc$|\.ezz$|\.exx$|\.zzz$|\.xyz$|\.aaa$|\.abc$|\.ccc$|\.vvv$|\.xxx$|\.ttt$|\.micro$|\.encrypted$|\.locked$|\.crypto$|_crypt$|\.crinf$|\.r5a$|\.xrtn$|\.XTBL$|\.crypt$|\.R16M01D05$|\.pzdc$|\.good$|\.LOL\!$|\.OMG\!$|\.RDM$|\.RRK$|\.encryptedRSA$|\.crjoker$|\.EnCiPhErEd$|\.LeChiffre$|\.keybtc@inbox_com$|\.0x0$|\.bleep$|\.1999$|\.vault$|\.HA3$|\.toxcrypt$|\.magic$|\.SUPERCRYPT$|\.CTBL$|\.CTB2$|\.locky$|\.wnry$|\.wcry$|\.wncry$|\.wncryt$|\.uiwix$)
- # Known ransomware files regex
- __known_ransom_files_re=(HELPDECRYPT\.TXT$|HELP_YOUR_FILES\.TXT$|HELP_TO_DECRYPT_YOUR_FILES\.txt$|RECOVERY_KEY\.txt$|HELP_RESTORE_FILES\.txt$|HELP_RECOVER_FILES\.txt$|HELP_TO_SAVE_FILES\.txt$|DecryptAllFiles\.txt$|DECRYPT_INSTRUCTIONS\.TXT$|INSTRUCCIONES_DESCIFRADO\.TXT$|How_To_Recover_Files\.txt$|YOUR_FILES\.HTML$|YOUR_FILES\.url$|Help_Decrypt\.txt$|DECRYPT_INSTRUCTION\.TXT$|HOW_TO_DECRYPT_FILES\.TXT$|ReadDecryptFilesHere\.txt$|Coin\.Locker\.txt$|_secret_code\.txt$|About_Files\.txt$|Read\.txt$|ReadMe\.txt$|DECRYPT_ReadMe\.TXT$|DecryptAllFiles\.txt$|FILESAREGONE\.TXT$|IAMREADYTOPAY\.TXT$|HELLOTHERE\.TXT$|READTHISNOW\!\!\!\.TXT$|SECRETIDHERE\.KEY$|IHAVEYOURSECRET\.KEY$|SECRET\.KEY$|HELPDECYPRT_YOUR_FILES\.HTML$|help_decrypt_your_files\.html$|HELP_TO_SAVE_FILES\.txt$|RECOVERY_FILES\.txt$|RECOVERY_FILE\.TXT$|RECOVERY_FILE.*\.txt$|HowtoRESTORE_FILES\.txt$|HowtoRestore_FILES\.txt$|howto_recover_file\.txt$|restorefiles\.txt$|howrecover\+.*\.txt$|_how_recover\.txt$|recoveryfile.*\.txt$|recoverfile.*\.txt$|recoveryfile.*\.txt$|Howto_Restore_FILES\.TXT$|help_recover_instructions\+.*\.txt$|_Locky_recover_instructions\.txt$)
-
- # Match on known ransomware regex or generic honeypot
- failregex = smbd.*:\ IP=<HOST>\ .*%(__honeypot_files_re)s
- smbd.*:\ IP=<HOST>\ .*%(__known_ransom_extensions_re)s
- smbd.*:\ IP=<HOST>\ .*%(__known_ransom_files_re)s
-
- # Filter generously provided by https://github.com/CanaryTek/ransomware-samba-tools
- # Provided under GPL3
- '';
- };
}