nextcloud: Sichere Instanze mit fail2ban ab

files/fail2ban/filter.conf

@@ -0,0 +1,5 @@
+[Definition]
+_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
+datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"

handlers/main.yml

@@ -23,3 +23,8 @@
 
 - name: start php-fpm-socket
   command: systemctl start php-fpm@*.socket --all
+
+- name: restart fail2ban
+  service:
+    name: fail2ban
+    state: restarted

tasks/fail2ban.yml

@@ -0,0 +1,12 @@
+---
+- name: "fail2ban | {{ instance.name }} | Kopiere Filter"
+  copy:
+    src: fail2ban/filter.conf
+    dest: /etc/fail2ban/filter.d/nextcloud.conf
+  notify: restart fail2ban
+
+- name: "fail2ban | {{ instance.name }} | Kopiere Jail"
+  template:
+    src: fail2ban/jail.conf.j2
+    dest: /etc/fail2ban/jail.d/nextcloud-{{ instance.user }}.conf
+  notify: restart fail2ban

tasks/main.yml

@@ -27,3 +27,6 @@
 
 - import_tasks: fixes.yml
   tags: fixes
+
+- import_tasks: fail2ban.yml
+  tags: fail2ban

templates/fail2ban/jail.conf.j2

@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+
+[nextcloud-{{ instance.user }}]
+backend = auto
+enabled = true
+port = 80,443
+protocol = tcp
+filter = nextcloud
+maxretry = 3
+bantime = 86400
+findtime = 43200
+logpath = {{ nextcloud_root }}/{{ instance.name }}/data/nextcloud.log