#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh

log "Fail2Ban installieren/konfigurieren …"

# Flags laden
set +u
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
set -u
FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}"

# Paket
if ! dpkg -s fail2ban >/dev/null 2>&1; then
  apt-get update -qq
  apt-get install -y fail2ban sqlite3
fi

install -d -m 0755 /etc/fail2ban/jail.d

# ---------------------------------------------------------------
# Basis-Jails (praxisnah)
# ---------------------------------------------------------------
cat >/etc/fail2ban/jail.d/mailwolt.conf <<'EOF'
[sshd]
enabled = true
port    = ssh
logpath = /var/log/auth.log

[postfix]
enabled = true
logpath = /var/log/mail.log
port    = smtp,ssmtp,submission,465

[dovecot]
enabled = true
logpath = /var/log/mail.log
port    = pop3,pop3s,imap,imaps,submission,465,587,993

[rspamd-controller]
enabled = true
port    = 11334
filter  = rspamd
logpath = /var/log/rspamd/rspamd.log
maxretry = 5
EOF

# einfacher Filter für Rspamd-Controller
if [ ! -f /etc/fail2ban/filter.d/rspamd.conf ]; then
  cat >/etc/fail2ban/filter.d/rspamd.conf <<'EOF'
[Definition]
failregex = .*Authentication failed for user.* from <HOST>
ignoreregex =
EOF
fi

# ---------------------------------------------------------------
# Fail2Ban-Backend auf SQLite umstellen
# ---------------------------------------------------------------
log "SQLite-Backend aktivieren …"

cat >/etc/fail2ban/fail2ban.local <<'EOF'
[Definition]
loglevel = INFO
logtarget = /var/log/fail2ban.log
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
dbpurgeage = 86400
EOF

# Datenbankverzeichnis sicherstellen
install -d -o fail2ban -g fail2ban -m 0750 /var/lib/fail2ban

# Falls DB nicht existiert, Dummy anlegen (wird vom Dienst erweitert)
if [ ! -f /var/lib/fail2ban/fail2ban.sqlite3 ]; then
  sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "VACUUM;"
fi
chown fail2ban:fail2ban /var/lib/fail2ban/fail2ban.sqlite3
chmod 0640 /var/lib/fail2ban/fail2ban.sqlite3

# ---------------------------------------------------------------
# sudoers für Web-UI
# ---------------------------------------------------------------
# Fail2Ban Blacklist-Jail
cat >/etc/fail2ban/jail.d/mailwolt-blacklist.local <<'EOF'
[mailwolt-blacklist]
enabled  = true
filter   = none
port     = anyport
bantime  = -1
findtime = 1
maxretry = 1
EOF

SUDOERS_F2B="/etc/sudoers.d/mailwolt-fail2ban"
cat > "${SUDOERS_F2B}" <<'EOF'
www-data ALL=(root) NOPASSWD: \
  /usr/bin/fail2ban-client ping, \
  /usr/bin/fail2ban-client status, \
  /usr/bin/fail2ban-client status *, \
  /usr/bin/fail2ban-client get *, \
  /usr/bin/fail2ban-client set * banip *, \
  /usr/bin/fail2ban-client set * unbanip *, \
  /usr/bin/fail2ban-client reload
EOF
chown root:root "${SUDOERS_F2B}"
chmod 440 "${SUDOERS_F2B}"

if ! visudo -c -f "${SUDOERS_F2B}" >/dev/null 2>&1; then
  echo "[!] Ungültiger sudoers-Eintrag in ${SUDOERS_F2B} – entferne Datei."
  rm -f "${SUDOERS_F2B}"
fi

# ---------------------------------------------------------------
# Dienst aktivieren/deaktivieren
# ---------------------------------------------------------------
if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then
  systemctl enable --now fail2ban
else
  systemctl disable --now fail2ban || true
fi

log "[✓] Fail2Ban (ENABLE=${FAIL2BAN_ENABLE}) bereit."


##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#log "Fail2Ban installieren/konfigurieren …"
#
## Flags laden
#set +u
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
#set -u
#FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}"
#
## Paket
#if ! dpkg -s fail2ban >/dev/null 2>&1; then
#  apt-get update -qq
#  apt-get install -y fail2ban
#fi
#
#install -d -m 0755 /etc/fail2ban/jail.d
#
## Basis-Jails (praxisnah)
#cat >/etc/fail2ban/jail.d/mailwolt.conf <<'EOF'
#[DEFAULT]
#bantime  = 1h
#findtime = 10m
#maxretry = 5
#backend  = auto
#
#[sshd]
#enabled = true
#port    = ssh
#logpath = /var/log/auth.log
#
#[postfix]
#enabled = true
#logpath = /var/log/mail.log
#port    = smtp,ssmtp,submission,465
#
#[dovecot]
#enabled = true
#logpath = /var/log/mail.log
#port    = pop3,pop3s,imap,imaps,submission,465,587,993
#
#[rspamd-controller]
#enabled = true
#port    = 11334
#filter  = rspamd
#logpath = /var/log/rspamd/rspamd.log
#maxretry = 5
#EOF
#
## einfacher Filter für Rspamd-Controller
#if [ ! -f /etc/fail2ban/filter.d/rspamd.conf ]; then
#  cat >/etc/fail2ban/filter.d/rspamd.conf <<'EOF'
#[Definition]
#failregex = .*Authentication failed for user.* from <HOST>
#ignoreregex =
#EOF
#fi
#
#SUDOERS_F2B="/etc/sudoers.d/mailwolt-fail2ban"
#cat > "${SUDOERS_F2B}" <<'EOF'
#www-data ALL=(root) NOPASSWD: /usr/bin/fail2ban-client status, /usr/bin/fail2ban-client status *
#EOF
#chown root:root "${SUDOERS_F2B}"
#chmod 440 "${SUDOERS_F2B}"
#
#if ! visudo -c -f "${SUDOERS_F2B}" >/dev/null 2>&1; then
#  echo "[!] Ungültiger sudoers-Eintrag in ${SUDOERS_F2B} – entferne Datei."
#  rm -f "${SUDOERS_F2B}"
#fi
#
#sudo tee /etc/sudoers.d/mailwolt-fail2ban >/dev/null <<'EOF'
#www-data ALL=(root) NOPASSWD: /usr/bin/fail2ban-client status, /usr/bin/fail2ban-client status *
#EOF
#sudo visudo -cf /etc/sudoers.d/mailwolt-fail2ban
#
## Dienst nach Flag
#if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then
#  systemctl enable --now fail2ban
#else
#  systemctl disable --now fail2ban || true
#fi
#
#log "[✓] Fail2Ban (ENABLE=${FAIL2BAN_ENABLE}) bereit."