From e1ac7538a0972a6b9ef0e2e13f0364d8448b766d Mon Sep 17 00:00:00 2001
From: root <root@sovereignreset.com>
Date: Mon, 15 May 2023 17:24:29 +0000
Subject: [PATCH] Added fix for fail2ban on mail

---
 lib/baserow.sh     |  1 -
 lib/functions.sh   |  1 +
 lib/gitea.sh       |  2 --
 lib/listmonk.sh    |  6 ++----
 lib/mail.sh        | 40 ++++++++++++++++++++++++++++++++++++++++
 lib/matrix.sh      |  1 -
 lib/nextcloud.sh   | 10 ++++++++--
 lib/pdns.sh        |  2 +-
 lib/pdnsadmin.sh   |  2 +-
 lib/vaultwarden.sh |  2 --
 10 files changed, 53 insertions(+), 14 deletions(-)

diff --git a/lib/baserow.sh b/lib/baserow.sh
index 2d6e6a1..7718b85 100644
--- a/lib/baserow.sh
+++ b/lib/baserow.sh
@@ -63,7 +63,6 @@ EMAIL_SMTP_USE_TLS=True
 EOF
 chmod 600 /federated/apps/baserow/.env
 
-BASEROW_SECRET="BlAYmXoxZ6mJHzL0VbeP2cfif3NGoVQm"
 echo "$BASEROW_SECRET" > /federated/apps/baserow/data/baserow/data/.federated.postgresql.secret
 
 cat > /federated/apps/baserow/data/createuser.sh <<EOF
diff --git a/lib/functions.sh b/lib/functions.sh
index 4700dcb..b41c5f8 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -2,6 +2,7 @@
 
 # Define all services
 SERVICES=("pdnsmysql" "pdns" "pdnsadmin" "traefik" "postgresql" "ldap" "mail" "collabora" "nextcloud" "matrix" "element" "listmonk" "vaultwarden" "panel" "wireguard" "jitsi" "baserow" "gitea" "caddy")
+#SERVICES=("nextcloud" "matrix" "element" "listmonk" "vaultwarden" "panel" "wireguard" "jitsi" "baserow" "gitea" "caddy")
 
 fail() {
   echo -ne "FAILED\n\n$1\n\n"
diff --git a/lib/gitea.sh b/lib/gitea.sh
index 5a61143..466dee2 100644
--- a/lib/gitea.sh
+++ b/lib/gitea.sh
@@ -50,8 +50,6 @@ networks:
     external: true
 EOF
 
-GITEA_SECRET="pcf1SCINj6zVSsHdu7b4ugkjTr3IL1Py"
-
 cat > /federated/apps/gitea/.env <<EOF
 IMAGE_VERSION="1.19.0"
 USER_UID=1000
diff --git a/lib/listmonk.sh b/lib/listmonk.sh
index 17322f5..4c7fb36 100644
--- a/lib/listmonk.sh
+++ b/lib/listmonk.sh
@@ -43,8 +43,6 @@ networks:
     external: true
 EOF
 
-LISTMONK_SECRET="CTxR2dmNiDpdt2F5tN5ZTqQN0HPiWgX4"
-
 cat > /federated/apps/listmonk/.env <<EOF
 IMAGE_VERSION="v2.3.0"
 TZ=Etc/UTC
@@ -53,8 +51,8 @@ EOF
 cat > /federated/apps/listmonk/data/listmonk/config.toml <<EOF
 [app]
 address = "0.0.0.0:9000"
-admin_username = "admin"
-admin_password = "$ADMINPASS"
+admin_username = "listmonk"
+admin_password = "$LISTMONKPASS"
 
 # Database.
 [db]
diff --git a/lib/mail.sh b/lib/mail.sh
index e11259d..3358959 100644
--- a/lib/mail.sh
+++ b/lib/mail.sh
@@ -104,6 +104,46 @@ cat > /federated/apps/mail/data/tmp/docker-mailserver/postfix-main.cf <<'EOF'
 smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname
 smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, check_policy_service inet:127.0.0.1:10023, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rbl_client zen.spamhaus.org
 smtpd_sender_login_maps = ldap:/etc/postfix/ldap-aliases.cf
+EOF
+
+cat /federated/apps/mail/data/tmp/docker-mailserver/fail2ban-jail.cf <<'EOF'
+[DEFAULT]
+
+# "bantime" is the number of seconds that a host is banned.
+bantime = 3h
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime = 5m
+
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 12
+
+# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
+# will not ban a host which matches an address in this list. Several addresses
+# can be defined using space (and/or comma) separator.
+ignoreip = 127.0.0.1/8,172.99.0.0/16
+
+# default ban action
+# nftables-multiport: block IP only on affected port
+# nftables-allports:  block IP on all ports
+banaction = nftables-allports
+
+[dovecot]
+enabled = true
+
+[postfix]
+enabled = true
+
+[postfix-sasl]
+enabled = true
+
+# This jail is used for manual bans.
+# To ban an IP address use: setup.sh fail2ban ban <IP>
+[custom]
+enabled = true
+bantime = 180d
+port = smtp,pop3,pop3s,imap,imaps,submission,submissions,sieve
 EOF
 
   kill -9 $SPINPID &> /dev/null
diff --git a/lib/matrix.sh b/lib/matrix.sh
index eec7769..d8d99cf 100644
--- a/lib/matrix.sh
+++ b/lib/matrix.sh
@@ -49,7 +49,6 @@ EOF
 chmod 600 /federated/apps/matrix/.env
 
 LDAP_SECRET=`cat /federated/apps/ldap/.ldap.secret`
-MATRIX_SECRET="zKCXIwLSamYDG6vlNDeXGFUnzmR5sXYX"
 
 # Generate the matrix homeserver.yaml file
 docker run -it --rm -v "/federated/apps/matrix/data/matrix:/data" -e SYNAPSE_SERVER_NAME=matrix.$DOMAIN -e SYNAPSE_REPORT_STATS=yes matrixdotorg/synapse:latest generate &> /dev/null
diff --git a/lib/nextcloud.sh b/lib/nextcloud.sh
index 92fc688..24d041c 100644
--- a/lib/nextcloud.sh
+++ b/lib/nextcloud.sh
@@ -63,7 +63,13 @@ networks:
 EOF
 
 LDAP_SECRET=`cat /federated/apps/ldap/.ldap.secret`
-NEXTCLOUD_SECRET="DEeFFCSLHiZKiV0nJQG7QiOFoPUp7lRb"
+#NEXTCLOUD_SECRET="ANwcxRML5QLWK4KifvN3yjz8TzDYUqxX"
+#VAULTWARDEN_SECRET="QAv4BdZkQ07EpnZNJaSAGVPQwY0X1SW3"
+#LISTMONK_SECRET="apQrEML1Lfhnr6PzGNlDTS1svyVBY7UH"
+#MATRIX_SECRET="YpcqfSRASIGwQX4iNbZNfo06zpTFf9KA"
+#BASEROW_SECRET="O4ogPCYSN2efhlu9GLgeFRK469mkyiIm"
+#GITEA_SECRET="qmkqnSEYmQNIxtz9amSUWW6rRiBsJYQ1"
+
 echo "$NEXTCLOUD_SECRET" > /federated/apps/nextcloud/.postgresql.secret
 echo "$ADMINPASS" > /federated/apps/nextcloud/.nextcloud.secret
 chmod 600 /federated/apps/nextcloud/.postgresql.secret /federated/apps/nextcloud/.nextcloud.secret
@@ -212,12 +218,12 @@ PATH=/var/www/html:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/sbin:/bin
 /var/www/html/occ app:enable spreed
 /var/www/html/occ app:enable side_menu
 /var/www/html/occ app:enable richdocuments
+/var/www/html/occ mail:account:create admin admin admin@$DOMAIN mail.$DOMAIN 993 ssl admin@$DOMAIN $ADMINPASS mail.$DOMAIN 465 ssl admin@$DOMAIN $ADMINPASS password
 /var/www/html/occ config:app:set --value https:\/\/collabora.$DOMAIN richdocuments public_wopi_url
 /var/www/html/occ config:app:set --value https:\/\/collabora.$DOMAIN richdocuments wopi_url
 /var/www/html/occ config:app:set --value ooxml richdocuments doc_format
 /var/www/html/occ config:app:set --value "" richdocuments disable_certificate_verification
 /var/www/html/occ config:import configs.json
-/var/www/html/occ mail:account:create admin admin admin@$DOMAIN mail.$DOMAIN 993 ssl admin@$DOMAIN $ADMINPASS mail.$DOMAIN 465 ssl admin@$DOMAIN $ADMINPASS password
 EOF
 
 chmod +x /federated/apps/nextcloud/data/config.sh
diff --git a/lib/pdns.sh b/lib/pdns.sh
index e940bc7..46ce462 100644
--- a/lib/pdns.sh
+++ b/lib/pdns.sh
@@ -79,7 +79,7 @@ curl -X PATCH --data '{"rrsets": [ {"name": "$DOMAIN.", "type": "MX", "ttl": 864
 curl -X PATCH --data '{"rrsets": [ {"name": "$DOMAIN.", "type": "TXT", "ttl": 86400, "changetype": "REPLACE", "records": [ {"content": "\"v=spf1 mx a:$DOMAIN ~all\"", "disabled": false } ] } ] }' -H 'X-API-Key: $PDNS_APIKEY' http://127.0.0.1:8081/api/v1/servers/localhost/zones/$DOMAIN.
 
 # Create the A records for domain
-for i in ns1 ns2 pdnsadmin traefik mail www computer panel nextcloud collabora jitsi matrix element listmonk vaultwarden vpn wireguard baserow gitea blog documentation; do
+for i in ns1 ns2 pdnsadmin powerdns traefik mail www computer panel nextcloud collabora jitsi matrix element listmonk vaultwarden vpn wireguard baserow gitea blog documentation; do
   curl -X PATCH --data "{\"rrsets\": [ {\"name\": \"\$i.$DOMAIN.\", \"type\": \"A\", \"ttl\": 86400, \"changetype\": \"REPLACE\", \"records\": [ {\"content\": \"$EXTERNALIP\", \"disabled\": false } ] } ] }" -H 'X-API-Key: $PDNS_APIKEY' http://127.0.0.1:8081/api/v1/servers/localhost/zones/$DOMAIN.
 done
 
diff --git a/lib/pdnsadmin.sh b/lib/pdnsadmin.sh
index b35611f..e20d3b8 100644
--- a/lib/pdnsadmin.sh
+++ b/lib/pdnsadmin.sh
@@ -32,7 +32,7 @@ services:
       - ./data/etc/uwsgi.ini:/etc/uwsgi.ini
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.pdnsadmin.rule=Host(\`pdnsadmin.$DOMAIN\`)"
+      - "traefik.http.routers.pdnsadmin.rule=Host(\`powerdns.$DOMAIN\`)"
       - "traefik.http.routers.pdnsadmin.entrypoints=websecure"
       - "traefik.http.routers.pdnsadmin.tls.certresolver=letsencrypt"
 
diff --git a/lib/vaultwarden.sh b/lib/vaultwarden.sh
index 95a3905..bcd8dae 100644
--- a/lib/vaultwarden.sh
+++ b/lib/vaultwarden.sh
@@ -41,8 +41,6 @@ networks:
     external: true
 EOF
 
-VAULTWARDEN_SECRET="tVCSy89xjQIgaoHbz1n0aol1SPbsPMOV"
-
 cat > /federated/apps/vaultwarden/.env <<EOF
 IMAGE_VERSION="1.27.0"
 DATABASE_URL=postgresql://vaultwarden:$VAULTWARDEN_SECRET@postgresql.$DOMAIN:5432/vaultwarden