Added fix for fail2ban on mail

2023-05-15 17:24:29 +00:00 · 2023-05-15 17:24:29 +00:00 · e1ac7538a0
commit e1ac7538a0
parent cc6fef50f0
10 changed files with 53 additions and 14 deletions
--- a/lib/baserow.sh
+++ b/lib/baserow.sh
@ -63,7 +63,6 @@ EMAIL_SMTP_USE_TLS=True
 EOF
 chmod 600 /federated/apps/baserow/.env

-BASEROW_SECRET="BlAYmXoxZ6mJHzL0VbeP2cfif3NGoVQm"
 echo "$BASEROW_SECRET" > /federated/apps/baserow/data/baserow/data/.federated.postgresql.secret

 cat > /federated/apps/baserow/data/createuser.sh <<EOF
--- a/lib/functions.sh
+++ b/lib/functions.sh
@ -2,6 +2,7 @@

 # Define all services
 SERVICES=("pdnsmysql" "pdns" "pdnsadmin" "traefik" "postgresql" "ldap" "mail" "collabora" "nextcloud" "matrix" "element" "listmonk" "vaultwarden" "panel" "wireguard" "jitsi" "baserow" "gitea" "caddy")
+#SERVICES=("nextcloud" "matrix" "element" "listmonk" "vaultwarden" "panel" "wireguard" "jitsi" "baserow" "gitea" "caddy")

 fail() {
  echo -ne "FAILED\n\n$1\n\n"
--- a/lib/gitea.sh
+++ b/lib/gitea.sh
@ -50,8 +50,6 @@ networks:
    external: true
 EOF

-GITEA_SECRET="pcf1SCINj6zVSsHdu7b4ugkjTr3IL1Py"
-
 cat > /federated/apps/gitea/.env <<EOF
 IMAGE_VERSION="1.19.0"
 USER_UID=1000
--- a/lib/listmonk.sh
+++ b/lib/listmonk.sh
@ -43,8 +43,6 @@ networks:
    external: true
 EOF

-LISTMONK_SECRET="CTxR2dmNiDpdt2F5tN5ZTqQN0HPiWgX4"
-
 cat > /federated/apps/listmonk/.env <<EOF
 IMAGE_VERSION="v2.3.0"
 TZ=Etc/UTC
@ -53,8 +51,8 @@ EOF
 cat > /federated/apps/listmonk/data/listmonk/config.toml <<EOF
 [app]
 address = "0.0.0.0:9000"
-admin_username = "admin"
-admin_password = "$ADMINPASS"
+admin_username = "listmonk"
+admin_password = "$LISTMONKPASS"

 # Database.
 [db]
--- a/lib/mail.sh
+++ b/lib/mail.sh
@ -104,6 +104,46 @@ cat > /federated/apps/mail/data/tmp/docker-mailserver/postfix-main.cf <<'EOF'
 smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname
 smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, check_policy_service inet:127.0.0.1:10023, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rbl_client zen.spamhaus.org
 smtpd_sender_login_maps = ldap:/etc/postfix/ldap-aliases.cf
+EOF
+
+cat /federated/apps/mail/data/tmp/docker-mailserver/fail2ban-jail.cf <<'EOF'
+[DEFAULT]
+
+# "bantime" is the number of seconds that a host is banned.
+bantime = 3h
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime = 5m
+
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 12
+
+# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
+# will not ban a host which matches an address in this list. Several addresses
+# can be defined using space (and/or comma) separator.
+ignoreip = 127.0.0.1/8,172.99.0.0/16
+
+# default ban action
+# nftables-multiport: block IP only on affected port
+# nftables-allports:  block IP on all ports
+banaction = nftables-allports
+
+[dovecot]
+enabled = true
+
+[postfix]
+enabled = true
+
+[postfix-sasl]
+enabled = true
+
+# This jail is used for manual bans.
+# To ban an IP address use: setup.sh fail2ban ban <IP>
+[custom]
+enabled = true
+bantime = 180d
+port = smtp,pop3,pop3s,imap,imaps,submission,submissions,sieve
 EOF

  kill -9 $SPINPID &> /dev/null
--- a/lib/matrix.sh
+++ b/lib/matrix.sh
@ -49,7 +49,6 @@ EOF
 chmod 600 /federated/apps/matrix/.env

 LDAP_SECRET=`cat /federated/apps/ldap/.ldap.secret`
-MATRIX_SECRET="zKCXIwLSamYDG6vlNDeXGFUnzmR5sXYX"

 # Generate the matrix homeserver.yaml file
 docker run -it --rm -v "/federated/apps/matrix/data/matrix:/data" -e SYNAPSE_SERVER_NAME=matrix.$DOMAIN -e SYNAPSE_REPORT_STATS=yes matrixdotorg/synapse:latest generate &> /dev/null
--- a/lib/nextcloud.sh
+++ b/lib/nextcloud.sh
@ -63,7 +63,13 @@ networks:
 EOF

 LDAP_SECRET=`cat /federated/apps/ldap/.ldap.secret`
-NEXTCLOUD_SECRET="DEeFFCSLHiZKiV0nJQG7QiOFoPUp7lRb"
+#NEXTCLOUD_SECRET="ANwcxRML5QLWK4KifvN3yjz8TzDYUqxX"
+#VAULTWARDEN_SECRET="QAv4BdZkQ07EpnZNJaSAGVPQwY0X1SW3"
+#LISTMONK_SECRET="apQrEML1Lfhnr6PzGNlDTS1svyVBY7UH"
+#MATRIX_SECRET="YpcqfSRASIGwQX4iNbZNfo06zpTFf9KA"
+#BASEROW_SECRET="O4ogPCYSN2efhlu9GLgeFRK469mkyiIm"
+#GITEA_SECRET="qmkqnSEYmQNIxtz9amSUWW6rRiBsJYQ1"
+
 echo "$NEXTCLOUD_SECRET" > /federated/apps/nextcloud/.postgresql.secret
 echo "$ADMINPASS" > /federated/apps/nextcloud/.nextcloud.secret
 chmod 600 /federated/apps/nextcloud/.postgresql.secret /federated/apps/nextcloud/.nextcloud.secret
@ -212,12 +218,12 @@ PATH=/var/www/html:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/sbin:/bin
 /var/www/html/occ app:enable spreed
 /var/www/html/occ app:enable side_menu
 /var/www/html/occ app:enable richdocuments
+/var/www/html/occ mail:account:create admin admin admin@$DOMAIN mail.$DOMAIN 993 ssl admin@$DOMAIN $ADMINPASS mail.$DOMAIN 465 ssl admin@$DOMAIN $ADMINPASS password
 /var/www/html/occ config:app:set --value https:\/\/collabora.$DOMAIN richdocuments public_wopi_url
 /var/www/html/occ config:app:set --value https:\/\/collabora.$DOMAIN richdocuments wopi_url
 /var/www/html/occ config:app:set --value ooxml richdocuments doc_format
 /var/www/html/occ config:app:set --value "" richdocuments disable_certificate_verification
 /var/www/html/occ config:import configs.json
-/var/www/html/occ mail:account:create admin admin admin@$DOMAIN mail.$DOMAIN 993 ssl admin@$DOMAIN $ADMINPASS mail.$DOMAIN 465 ssl admin@$DOMAIN $ADMINPASS password
 EOF

 chmod +x /federated/apps/nextcloud/data/config.sh
--- a/lib/pdns.sh
+++ b/lib/pdns.sh
@ -79,7 +79,7 @@ curl -X PATCH --data '{"rrsets": [ {"name": "$DOMAIN.", "type": "MX", "ttl": 864
 curl -X PATCH --data '{"rrsets": [ {"name": "$DOMAIN.", "type": "TXT", "ttl": 86400, "changetype": "REPLACE", "records": [ {"content": "\"v=spf1 mx a:$DOMAIN ~all\"", "disabled": false } ] } ] }' -H 'X-API-Key: $PDNS_APIKEY' http://127.0.0.1:8081/api/v1/servers/localhost/zones/$DOMAIN.

 # Create the A records for domain
-for i in ns1 ns2 pdnsadmin traefik mail www computer panel nextcloud collabora jitsi matrix element listmonk vaultwarden vpn wireguard baserow gitea blog documentation; do
+for i in ns1 ns2 pdnsadmin powerdns traefik mail www computer panel nextcloud collabora jitsi matrix element listmonk vaultwarden vpn wireguard baserow gitea blog documentation; do
  curl -X PATCH --data "{\"rrsets\": [ {\"name\": \"\$i.$DOMAIN.\", \"type\": \"A\", \"ttl\": 86400, \"changetype\": \"REPLACE\", \"records\": [ {\"content\": \"$EXTERNALIP\", \"disabled\": false } ] } ] }" -H 'X-API-Key: $PDNS_APIKEY' http://127.0.0.1:8081/api/v1/servers/localhost/zones/$DOMAIN.
 done

--- a/lib/pdnsadmin.sh
+++ b/lib/pdnsadmin.sh
@ -32,7 +32,7 @@ services:
      - ./data/etc/uwsgi.ini:/etc/uwsgi.ini
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.pdnsadmin.rule=Host(\`pdnsadmin.$DOMAIN\`)"
+      - "traefik.http.routers.pdnsadmin.rule=Host(\`powerdns.$DOMAIN\`)"
      - "traefik.http.routers.pdnsadmin.entrypoints=websecure"
      - "traefik.http.routers.pdnsadmin.tls.certresolver=letsencrypt"

--- a/lib/vaultwarden.sh
+++ b/lib/vaultwarden.sh
@ -41,8 +41,6 @@ networks:
    external: true
 EOF

-VAULTWARDEN_SECRET="tVCSy89xjQIgaoHbz1n0aol1SPbsPMOV"
-
 cat > /federated/apps/vaultwarden/.env <<EOF
 IMAGE_VERSION="1.27.0"
 DATABASE_URL=postgresql://vaultwarden:$VAULTWARDEN_SECRET@postgresql.$DOMAIN:5432/vaultwarden