Install fail2ban using system manager

Introducing a system manager fail2ban module. This module introduce
two extra filters and fails on top of the builtin ones adapted from
the current ansible deployment for postgresql and pgbouncer.

Author: picnoir

flake.lock

@@ -2,8 +2,10 @@
 let
   mkModules = system: [
     self.systemModules.ssh-config
+    self.systemModules.fail2ban
     ({
       nixpkgs.hostPlatform = system;
+      supabase.services.fail2ban.enable = true;
     })
   ];
 

nix/systemConfigs.nix

@@ -18,6 +18,7 @@
           mode = "0644";
         };
       };
+      fail2ban = ./fail2ban.nix;
     };
   };
 }

nix/systemModules/default.nix

@@ -0,0 +1,83 @@
+{
+  lib,
+  nixosModulesPath,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.supabase.services.fail2ban;
+in
+{
+  imports = [
+    "${nixosModulesPath}/services/security/fail2ban.nix"
+  ];
+
+  options = {
+    # Create a dummy openssh option to unbreak the
+    # > The option `services.openssh.settings' does not exist.
+    # we face when importing the NixOS fail2ban.nix module.
+    #
+    # Note: the fail2ban module is trying to increase the log
+    # verbosity of the openssh daemon to simplify debug. We don't
+    # really need this feature: system-manager is not controlling the
+    # ssh daemon here.
+    #
+    # TOREMOVE if we end up provisionning openssh through
+    # systemmanager.
+    services.openssh.settings = lib.mkOption {
+      type = lib.types.attrs;
+    };
+    # Some goes for nftables
+    networking.nftables.enable = lib.mkEnableOption "dummy nftable module";
+
+    # TODO move to iptables
+    supabase.services.fail2ban = {
+      enable = lib.mkEnableOption "Fail2Ban";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # Dummy
+    networking.nftables.enable = true;
+    services.fail2ban = {
+      enable = true;
+      bantime = "3600";
+      packageFirewall = pkgs.nftables;
+      jails = {
+        postgresql = {
+          settings = {
+            enabled = true;
+            port = "5432";
+            protocol = "tcp";
+            filter = "postgresql";
+            logpath = "/var/log/postgresql/auth-failures.csv";
+            maxretry = 3;
+            ignoreip = "192.168.0.0/16 172.17.1.0/20";
+          };
+        };
+        pgbouncer = {
+          settings = {
+            enabled = true;
+            port = "6543";
+            protocol = "tcp";
+            filter = "pgbouncer";
+            backend = "systemd[journalflags=1]";
+            maxretry = 3;
+          };
+        };
+      };
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/postgresql.conf".source = ./postgresql-filter.conf;
+      "fail2ban/filter.d/pgbouncer.conf".source = ./pgbouncer.conf;
+    };
+
+    systemd.services.fail2ban = {
+      wantedBy = lib.mkForce [
+        "system-manager.target"
+      ];
+    };
+  };
+}

nix/systemModules/fail2ban.nix

@@ -0,0 +1,8 @@
+[Init]
+maxlines = 3
+
+[Definition]
+failregex = ^.+@<HOST>:.+password authentication failed$
+            ^.+@<HOST>:.+pooler error: no such user$
+            ^.+@<HOST>:.+registered new auto-database.*\n.*\n.*server login failed: FATAL database ".+" does not exist.*$
+journalmatch = _SYSTEMD_UNIT=pgbouncer.service

nix/systemModules/pgbouncer.conf

@@ -0,0 +1,4 @@
+[Definition]
+failregex = ^.*,.*,.*,.*,"<HOST>:.*password authentication failed for user.*$
+            ^.*no pg_hba\.conf entry for host "<HOST>",.*$
+ignoreregex = ^.*,.*,.*,.*,"127\.0\.0\.1.*password authentication failed for user.*$

nix/systemModules/postgresql-filter.conf

@@ -30,6 +30,9 @@
                   assert machine.file("/etc/ssh/sshd_config.d/local.conf").user == "root", "/etc/ssh/sshd_config.d/local.conf should be owned by root"
                   assert machine.file("/etc/ssh/sshd_config.d/local.conf").group == "root", "/etc/ssh/sshd_config.d/local.conf should be owned by root"
                   assert machine.file("/etc/ssh/sshd_config.d/local.conf").contains("Match Address"), "/etc/ssh/sshd_config.d/local.conf should contain 'Match Address'"
+              with subtest("Verify system manager config"):
+                  machine.wait_for_unit("fail2ban.service")
+
             '';
           };
       };