From c1eab0edeef61911777341fb8f4f4e7f19c51a21 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 20 Sep 2024 14:39:53 +0000
Subject: [PATCH] nixos: services: jellyfin: add fail2ban jail

The upstream documentation adds quotes around the IP, but I don't see
them in my logs. Let's split the difference by making them optional.
---
 modules/nixos/services/jellyfin/default.nix | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/modules/nixos/services/jellyfin/default.nix b/modules/nixos/services/jellyfin/default.nix
index f5aaa99..e8910a5 100644
--- a/modules/nixos/services/jellyfin/default.nix
+++ b/modules/nixos/services/jellyfin/default.nix
@@ -41,5 +41,21 @@ in
         };
       };
     };
+
+    services.fail2ban.jails = {
+      jellyfin = ''
+        enabled = true
+        filter = jellyfin
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/jellyfin.conf".text = ''
+        [Definition]
+        failregex = ^.*Authentication request for .* has been denied \(IP: "?<ADDR>"?\)\.
+        journalmatch = _SYSTEMD_UNIT=jellyfin.service
+      '';
+    };
   };
 }