From b9f6c5d5347ac0c869da25f2936ce60284152cb7 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sun, 19 Feb 2023 18:36:41 +0100
Subject: [PATCH] modules: services: gitea: add fail2ban jail

---
 modules/services/gitea/default.nix | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/modules/services/gitea/default.nix b/modules/services/gitea/default.nix
index 9c443f0..5e14175 100644
--- a/modules/services/gitea/default.nix
+++ b/modules/services/gitea/default.nix
@@ -126,5 +126,21 @@ in
         config.services.gitea.repositoryRoot
       ];
     };
+
+    services.fail2ban.jails = {
+      gitea = ''
+        enabled = true
+        filter = gitea
+        action = iptables-allports
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/gitea.conf".text = ''
+        [Definition]
+        failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>$
+        journalmatch = _SYSTEMD_UNIT=gitea.service
+      '';
+    };
   };
 }