|
1 | 1 | #!/bin/bash |
2 | 2 |
|
3 | | -# Fix socket |
4 | | -rm -f /run/fail2ban/* |
5 | | - |
6 | | -if ! mountpoint -q /nextcloud; then |
7 | | - echo "/nextcloud is not a mountpoint which it must be!" |
| 3 | +if ! mountpoint -q /data; then |
| 4 | + echo "/data is not a mountpoint!" |
8 | 5 | exit 1 |
9 | 6 | fi |
10 | 7 |
|
11 | | -while ! [ -f /nextcloud/data/nextcloud.log ]; do |
12 | | - echo "Waiting for /nextcloud/data/nextcloud.log to become available" |
| 8 | +while ! nc -z nextcloud-aio-nextcloud 9001; do |
| 9 | + echo "Waiting for nextcloud to start" |
13 | 10 | sleep 5 |
14 | 11 | done |
15 | 12 |
|
16 | | -cat << FILTER > /etc/fail2ban/filter.d/nextcloud.conf |
17 | | -[INCLUDES] |
18 | | -before = common.conf |
19 | | -
|
20 | | -[Definition] |
21 | | -_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) |
22 | | -failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed: |
23 | | - ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error. |
24 | | -datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" |
25 | | -FILTER |
| 13 | +set -x |
| 14 | +# Reset the file |
| 15 | +sed -i "/(GEOFILTER)/,$ d" /Cadddyfile |
26 | 16 |
|
27 | | -cat << JAIL > /etc/fail2ban/jail.d/nextcloud.local |
28 | | -[nextcloud] |
29 | | -enabled = true |
30 | | -port = 80,443,8080,8443,3478 |
31 | | -protocol = tcp,udp |
32 | | -filter = nextcloud |
33 | | -banaction = %(banaction_allports)s |
34 | | -maxretry = 3 |
35 | | -bantime = 14400 |
36 | | -findtime = 14400 |
37 | | -logpath = /nextcloud/data/nextcloud.log |
38 | | -chain=DOCKER-USER |
39 | | -JAIL |
| 17 | +ALLOW_CONTRIES="$(head -n 1 filename /nextcloud/admin/files/nextcloud-aio-caddy/allowed-countries.txt)" |
| 18 | +if echo "$ALLOW_CONTRIES" | grep -q '^[A-Z ]\+$'; then |
| 19 | + FILTER_SET=1 |
| 20 | +fi |
| 21 | +if [ -f "/nextcloud/admin/files/nextcloud-aio-caddy/GeoLite2-Country.mmdb" ]; then |
| 22 | + rm -f /data/GeoLite2-Country.mmdb |
| 23 | + cp /nextcloud/admin/files/nextcloud-aio-caddy/GeoLite2-Country.mmdb /data/ |
| 24 | + FILE_THERE=1 |
| 25 | +fi |
40 | 26 |
|
41 | | -if [ -f /vaultwarden/vaultwarden.log ]; then |
42 | | - echo "Configuring vaultwarden for logs" |
43 | | - # Vaultwarden conf |
44 | | - cat << BW_CONF > /etc/fail2ban/filter.d/vaultwarden.conf |
45 | | -[INCLUDES] |
46 | | -before = common.conf |
| 27 | +if [ "$FILTER_SET" = 1 ] && [ "$FILE_THERE" = 1 ]; then |
| 28 | + cat << CADDY >> /Caddyfile |
| 29 | +(GEOFILTER) { |
| 30 | + @geofilter { |
| 31 | + not maxmind_geolocation { |
| 32 | + db_path "/data/GeoLite2-Country.mmdb" |
| 33 | + allow_countries $ALLOW_CONTRIES |
| 34 | + } |
| 35 | + not remote_ip private_ranges |
| 36 | + } |
| 37 | + respond @geofilter 403 |
| 38 | +} |
| 39 | +CADDY |
| 40 | +fi |
47 | 41 |
|
48 | | -[Definition] |
49 | | -failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$ |
50 | | -ignoreregex = |
51 | | -BW_CONF |
| 42 | +cat << CADDY >> /Caddyfile |
| 43 | +https://{\$NC_DOMAIN}:443 { |
| 44 | + # import GEOFILTER |
| 45 | + reverse_proxy nextcloud-aio-apache:{\$APACHE_PORT} |
52 | 46 |
|
53 | | - # Vaultwarden jail |
54 | | - cat << BW_JAIL_CONF > /etc/fail2ban/jail.d/vaultwarden.local |
55 | | -[vaultwarden] |
56 | | -enabled = true |
57 | | -port = 80,443,8812 |
58 | | -protocol = tcp,udp |
59 | | -filter = vaultwarden |
60 | | -banaction = %(banaction_allports)s |
61 | | -logpath = /vaultwarden/vaultwarden.log |
62 | | -maxretry = 3 |
63 | | -bantime = 14400 |
64 | | -findtime = 14400 |
65 | | -chain=DOCKER-USER |
66 | | -BW_JAIL_CONF |
| 47 | + # TLS options |
| 48 | + tls { |
| 49 | + issuer acme { |
| 50 | + disable_http_challenge |
| 51 | + } |
| 52 | + } |
| 53 | +} |
| 54 | +CADDY |
67 | 55 |
|
68 | | - # Vaultwarden-admin conf |
69 | | - cat << BWA_CONF > /etc/fail2ban/filter.d/vaultwarden-admin.conf |
70 | | -[INCLUDES] |
71 | | -before = common.conf |
| 56 | +if [ -n "$(dig A +short nextcloud-aio-vaultwarden)" ]; then |
| 57 | + cat << CADDY >> /Caddyfile |
| 58 | +https://bw.{\$NC_DOMAIN}:443 { |
| 59 | + # import GEOFILTER |
| 60 | + reverse_proxy nextcloud-aio-vaultwarden:8812 |
72 | 61 |
|
73 | | -[Definition] |
74 | | -failregex = ^.*Invalid admin token\. IP: <ADDR>.*$ |
75 | | -ignoreregex = |
76 | | -BWA_CONF |
| 62 | + # TLS options |
| 63 | + tls { |
| 64 | + issuer acme { |
| 65 | + disable_http_challenge |
| 66 | + } |
| 67 | + } |
| 68 | +} |
| 69 | +CADDY |
| 70 | +fi |
77 | 71 |
|
78 | | - # Vaultwarden-admin jail |
79 | | - cat << BWA_JAIL_CONF > /etc/fail2ban/jail.d/vaultwarden-admin.local |
80 | | -[vaultwarden-admin] |
81 | | -enabled = true |
82 | | -port = 80,443,8812 |
83 | | -protocol = tcp,udp |
84 | | -filter = vaultwarden-admin |
85 | | -banaction = %(banaction_allports)s |
86 | | -logpath = /vaultwarden/vaultwarden.log |
87 | | -maxretry = 3 |
88 | | -bantime = 14400 |
89 | | -findtime = 14400 |
90 | | -chain=DOCKER-USER |
91 | | -BWA_JAIL_CONF |
| 72 | +if [ "$FILTER_SET" = 1 ] && [ "$FILE_THERE" = 1 ]; then |
| 73 | + sed -i "s|# import GEOFILTER|import GEOFILTER|" /Caddyfile |
92 | 74 | fi |
| 75 | +set +x |
| 76 | + |
| 77 | +caddy fmt --overwrite /Caddyfile |
93 | 78 |
|
94 | | -fail2ban-server -f --logtarget stderr --loglevel info |
| 79 | +caddy run --config /Caddyfile |
0 commit comments