diff --git a/modules/services/gitea/default.nix b/modules/services/gitea/default.nix
index 9c443f0..5e14175 100644
--- a/modules/services/gitea/default.nix
+++ b/modules/services/gitea/default.nix
@@ -126,5 +126,21 @@ in
         config.services.gitea.repositoryRoot
       ];
     };
+
+    services.fail2ban.jails = {
+      gitea = ''
+        enabled = true
+        filter = gitea
+        action = iptables-allports
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/gitea.conf".text = ''
+        [Definition]
+        failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>$
+        journalmatch = _SYSTEMD_UNIT=gitea.service
+      '';
+    };
   };
 }