First Commit

Taskfile.yml

@@ -0,0 +1,62 @@
+version: '3'
+
+tasks:
+
+  default:
+    cmds:
+      - if command -v task; then task -l else go-task -l; fi
+
+  install:
+    cmds:
+      - mkdir ~/.local/bin
+      - mv go-task/task ~/.local/bin
+      - sudo mv go-task/task.bash /etc/bash_completion.d
+      - sudo rpm-ostree install fail2ban
+      - sudo cp zerotier/zerotier.repo /etc/yum/yum.repos.d
+      - sudo rpm-ostree install zerotier-one
+
+  f2bs:
+    desc: Status of fail2ban bans
+    cmds:
+      - sudo fail2ban-client get sshd banip --with-time
+      - sudo fail2ban-client get bad-auth banip --with-time
+      - df
+    preconditions:
+      - test 'command -v fail2ban-client'
+
+  ztrs:
+    desc: Status of zerotier network
+    cmds:
+      - sudo zerotier-cli status
+      - sudo zerotier-cli listnetworks
+    preconditions:
+      - test 'command -v zerotier-cli'
+
+  mailu:
+    desc: Setup fail2ban for mailu frontend
+    cmds:
+      - sudo cp mailu-f2b/fail2ban-bad-auth-filter.conf /etc/fail2ban/filter.d/bad-auth.conf
+      - sudo cp mailu-f2b/fail2ban-bad-auth-jail.conf /etc/fail2ban/jail.d/bad-auth.conf
+      - sudo cp mailu-f2b/fail2ban-docker-action.conf /etc/fail2ban/action.d/docker-action.conf
+      - sudo mkdir -p /etc/systemd/system/fail2ban.service.d
+      - sudo cp mailu-f2b/fail2ban-override.conf /etc/systemd/system/fail2ban.service.d/override.conf
+      - sudo sudo systemctl daemon-reload
+      - sudo systemctl restart fail2ban
+    sources:
+      - fmailu-f2b/ail2ban-bad-auth-filter.conf
+      - fmailu-f2b/ail2ban-bad-auth-jail.conf
+      - fmailu-f2b/ail2ban-docker-action.conf
+      - fmailu-f2b/ail2ban-override.conf
+    generates:
+      - /etc/fail2ban/filter.d/bad-auth.conf
+      - /etc/fail2ban/jail.d/bad-auth.conf
+      - /etc/fail2ban/action.d/docker-action.conf
+      - /etc/systemd/system/fail2ban.service.d/override.conf
+    preconditions:
+      - test 'commmand -v fail2ban-server'
+
+
+  ztrj:
+    desc: Join Zerotier happy_hurleys network
+    cmds:
+      - sudo zerotier-cli join 35c192ce9bcc3c6e

go-task/task.bash

@@ -0,0 +1,55 @@
+# vim: set tabstop=2 shiftwidth=2 expandtab:
+
+_GO_TASK_COMPLETION_LIST_OPTION='--list-all'
+
+function _task()
+{
+  local cur prev words cword
+  _init_completion -n : || return
+
+  # Check for `--` within command-line and quit or strip suffix.
+  local i
+  for i in "${!words[@]}"; do
+    if [ "${words[$i]}" == "--" ]; then
+      # Do not complete words following `--` passed to CLI_ARGS.
+      [ $cword -gt $i ] && return
+      # Remove the words following `--` to not put --list in CLI_ARGS.
+      words=( "${words[@]:0:$i}" )
+      break
+    fi
+  done
+
+  # Handle special arguments of options.
+  case "$prev" in
+    -d|--dir)
+      _filedir -d
+      return $?
+    ;;
+    -t|--taskfile)
+      _filedir yaml || return $?
+      _filedir yml
+      return $?
+    ;;
+    -o|--output)
+      COMPREPLY=( $( compgen -W "interleaved group prefixed" -- $cur ) )
+      return 0
+    ;;
+  esac
+
+  # Handle normal options.
+  case "$cur" in
+    -*)
+      COMPREPLY=( $( compgen -W "$(_parse_help $1)" -- $cur ) )
+      return 0
+    ;;
+  esac
+
+  # Prepare task name completions.
+  local tasks=( $( "${words[@]}" --silent $_GO_TASK_COMPLETION_LIST_OPTION 2> /dev/null ) )
+  COMPREPLY=( $( compgen -W "${tasks[*]}" -- "$cur" ) )
+
+  # Post-process because task names might contain colons.
+  __ltrim_colon_completions "$cur"
+}
+
+complete -F _task task

mailu-f2b/fail2ban-bad-auth-filter.conf

@@ -0,0 +1,5 @@
+# Fail2Ban configuration file
+[Definition]
+failregex = .* client login failed: .+ client:\ <HOST>
+ignoreregex =
+journalmatch = CONTAINER_TAG=mailu-front

mailu-f2b/fail2ban-bad-auth-jail.conf

@@ -0,0 +1,11 @@
+[bad-auth]
+enabled = true
+backend = systemd
+filter = bad-auth
+bantime = 1w
+bantime.increment = true
+bantime.factor = 2
+bantime.maxtime = 128w
+findtime = 300
+maxretry = 5
+action = docker-action

mailu-f2b/fail2ban-docker-action.conf

@@ -0,0 +1,16 @@
+[Definition]
+
+actionstart = iptables -N f2b-bad-auth
+              iptables -A f2b-bad-auth -j RETURN
+              iptables -I DOCKER-USER -p tcp -m multiport --dports 1:1024 -j f2b-bad-auth
+
+actionstop = iptables -D DOCKER-USER -p tcp -m multiport --dports 1:1024 -j f2b-bad-auth
+             iptables -F f2b-bad-auth
+             iptables -X f2b-bad-auth
+
+actioncheck = iptables -n -L DOCKER-USER | grep -q 'f2b-bad-auth[ \t]'
+
+actionban = iptables -I f2b-bad-auth 1 -s <ip> -j DROP
+
+actionunban = iptables -D f2b-bad-auth -s <ip> -j DROP
+

mailu-f2b/fail2ban-override.conf

@@ -0,0 +1,2 @@
+[Unit]
+After=docker.service

zerotier/zerotier.repo

@@ -0,0 +1,5 @@
+[zerotier]
+name=ZeroTier, Inc. RPM Release Repository
+baseurl=http://download.zerotier.com/redhat/fc/36
+enabled=1
+gpgcheck=1

zerotier/zt-gpg-key

@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: GPGTools - https://gpgtools.org
+
+mQINBFdQq7oBEADEVhyRiaL8dEjMPlI/idO8tA7adjhfvejxrJ3Axxi9YIuIKhWU
+5hNjDjZAiV9iSCMfJN3TjC3EDA+7nFyU6nDKeAMkXPbaPk7ti+Tb1nA4TJsBfBlm
+CC14aGWLItpp8sI00FUzorxLWRmU4kOkrRUJCq2kAMzbYWmHs0hHkWmvj8gGu6mJ
+WU3sDIjvdsm3hlgtqr9grPEnj+gA7xetGs3oIfp6YDKymGAV49HZmVAvSeoqfL1p
+pEKlNQ1aO9uNfHLdx6+4pS1miyo7D1s7ru2IcqhTDhg40cHTL/VldC3d8vXRFLIi
+Uo2tFZ6J1jyQP5c1K4rTpw3UNVne3ob7uCME+T1+ePeuM5Y/cpcCvAhJhO0rrlr0
+dP3lOKrVdZg4qhtFAspC85ivcuxWNWnfTOBrgnvxCA1fmBX+MLNUEDsuu55LBNQT
+5+WyrSchSlsczq+9EdomILhixUflDCShHs+Efvh7li6Pg56fwjEfj9DJYFhRvEvQ
+7GZ7xtysFzx4AYD4/g5kCDsMTbc9W4Jv+JrMt3JsXt2zqwI0P4R1cIAu0J6OZ4Xa
+dJ7Ci1WisQuJRcCUtBTUxcYAClNGeors5Nhl4zDrNIM7zIJp+GfPYdWKVSuW10mC
+r3OS9QctMSeVPX/KE85TexeRtmyd4zUdio49+WKgoBhM8Z9MpTaafn2OPQARAQAB
+tFBaZXJvVGllciwgSW5jLiAoWmVyb1RpZXIgU3VwcG9ydCBhbmQgUmVsZWFzZSBT
+aWduaW5nIEtleSkgPGNvbnRhY3RAemVyb3RpZXIuY29tPokCNwQTAQoAIQUCV1Cr
+ugIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRAWVxmII+UqYViGEACnC3+3
+lRzfv7f7JLWo23FSHjlF3IiWfYd+47BLDx706SDih1H6Qt8CqRy706bWbtictEJ/
+xTaWgTEDzY/lRalYO5NAFTgK9h2zBP1t8zdEA/rmtVPOWOzd6jr0q3l3pKQTeMF0
+6g+uaMDG1OkBz6MCwdg9counz6oa8OHK76tXNIBEnGOPBW375z1O+ExyddQOHDcS
+IIsUlFmtIL1yBa7Q5NSfLofPLfS0/o2FItn0riSaAh866nXHynQemjTrqkUxf5On
+65RLM+AJQaEkX17vDlsSljHrtYLKrhEueqeq50e89c2Ya4ucmSVeC9lrSqfyvGOO
+P3aT/hrmeE9XBf7a9vozq7XhtViEC/ZSd1/z/oeypv4QYenfw8CtXP5bW1mKNK/M
+8xnrnYwo9BUMclX2ZAvu1rTyiUvGre9fEGfhlS0rjmCgYfMgBZ+R/bFGiNdn6gAd
+PSY/8fP8KFZl0xUzh2EnWe/bptoZ67CKkDbVZnfWtuKA0Ui7anitkjZiv+6wanv4
++5A3k/H3D4JofIjRNgx/gdVPhJfWjAoutIgGeIWrkfcAP9EpsR5swyc4KuE6kJ/Y
+wXXVDQiju0xE1EdNx/S1UOeq0EHhOFqazuu00ojATekUPWenNjPWIjBYQ0Ag4ycL
+KU558PFLzqYaHphdWYgxfGR+XSgzVTN1r7lW87kCDQRXUKu6ARAA2wWOywNMzEiP
+ZK6CqLYGZqrpfx+drOxSowwfwjP3odcK8shR/3sxOmYVqZi0XVZtb9aJVz578rNb
+e4Vfugql1Yt6w3V84z/mtfj6ZbTOOU5yAGZQixm6fkXAnpG5Eer/C8Aw8dH1EreP
+Na1gIVcUzlpg2Ql23qjr5LqvGtUB4BqJSF4X8efNi/y0hj/GaivUMqCF6+Vvh3GG
+fhvzhgBPku/5wK2XwBL9BELqaQ/tWOXuztMw0xFH/De75IH3LIvQYCuv1pnM4hJL
+XYnpAGAWfmFtmXNnPVon6g542Z6c0G/qi657xA5vr6OSSbazDJXNiHXhgBYEzRrH
+napcohTQwFKEA3Q4iftrsTDX/eZVTrO9x6qKxwoBVTGwSE52InWAxkkcnZM6tkfV
+n7Ukc0oixZ6E70Svls27zFgaWbUFJQ6JFoC6h+5AYbaga6DwKCYOP3AR+q0ZkcH/
+oJIdvKuhF9zDZbQhd76b4gK3YXnMpVsj9sQ9P23gh61RkAQ1HIlGOBrHS/XYcvpk
+DcfIlJXKC3V1ggrG+BpKu46kiiYmRR1/yM0EXH2n99XhLNSxxFxxWhjyw8RcR6iG
+ovDxWAULW+bJHjaNJdgb8Kab7j2nT2odUjUHMP42uLJgvS5LgRn39IvtzjoScAqg
+8I817m8yLU/91D2f5qmJIwFI6ELwImkAEQEAAYkCHwQYAQoACQUCV1CrugIbDAAK
+CRAWVxmII+UqYWSSEACxaR/hhr8xUIXkIV52BeD+2BOS8FNOi0aM67L4fEVplrsV
+Op9fvAnUNmoiQo+RFdUdaD2Rpq+yUjQHHbj92mlk6Cmaon46wU+5bAWGYpV1Uf+o
+wbKw1Xv83Uj9uHo7zv9WDtOUXUiTe/S792icTfRYrKbwkfI8iCltgNhTQNX0lFX/
+Sr2y1/dGCTCMEuA/ClqGKCm9lIYdu+4z32V9VXTSX85DsUjLOCO/hl9SHaelJgmi
+IJzRY1XLbNDK4IH5eWtbaprkTNIGt00QhsnM5w+rn1tO80giSxXFpKBE+/pAx8PQ
+RdVFzxHtTUGMCkZcgOJolk8y+DJWtX8fP+3a4Vq11a3qKJ19VXk3qnuC1aeW7OQF
+j6ISyHsNNsnBw5BRaS5tdrpLXw6Z7TKr1eq+FylmoOK0pIw5xOdRmSVoFm4lVcI5
+e5EwB7IIRF00IFqrXe8dCT0oDT9RXc6CNh6GIs9D9YKwDPRD/NKQlYoegfa13Jz7
+S3RIXtOXudT1+A1kaBpGKnpXOYD3w7jW2l0zAd6a53AAGy4SnL1ac4cml76NIWiF
+m2KYzvMJZBk5dAtFa0SgLK4fg8X6Ygoo9E0JsXxSrW9I1JVfo6Ia//YOBMtt4XuN
+Awqahjkq87yxOYYTnJmr2OZtQuFboymfMhNqj3G2DYmZ/ZIXXPgwHx0fnd3R0Q==
+=JgAv
+-----END PGP PUBLIC KEY BLOCK-----