From fc8ccb8b990730bc95be0a08f499a77b17779aea Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sun, 3 Sep 2023 12:43:46 +0200
Subject: [PATCH] modules: services: pirate: add fail2ban jails

---
 modules/services/pirate/default.nix | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/modules/services/pirate/default.nix b/modules/services/pirate/default.nix
index 96f5ad4..7c341e7 100644
--- a/modules/services/pirate/default.nix
+++ b/modules/services/pirate/default.nix
@@ -29,6 +29,24 @@ let
     ];
   };
 
+  mkFail2Ban = service: {
+    services.fail2ban.jails = {
+      ${service} = ''
+        enabled = true
+        filter = ${service}
+        action = iptables-allports
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/${service}.conf".text = ''
+        [Definition]
+        failregex = ^.*\|Warn\|Auth\|Auth-Failure ip <HOST> username .*$
+        journalmatch = _SYSTEMD_UNIT=${service}.service
+      '';
+    };
+  };
+
   mkFullConfig = service: lib.mkMerge [
     (mkService service)
     (mkRedirection service)
@@ -44,13 +62,16 @@ in
       # Set-up media group
       users.groups.media = { };
     }
-    # Bazarr for subtitles
+    # Bazarr does not log authentication failures...
     (mkFullConfig "bazarr")
     # Lidarr for music
     (mkFullConfig "lidarr")
+    (mkFail2Ban "lidarr")
     # Radarr for movies
     (mkFullConfig "radarr")
+    (mkFail2Ban "radarr")
     # Sonarr for shows
     (mkFullConfig "sonarr")
+    (mkFail2Ban "sonarr")
   ]);
 }