added fail2ban filter for immich

modules/nixos-modules/server/fail2ban.nix

@@ -46,6 +46,16 @@ in {
             datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
           '')
         );
+        "fail2ban/filter.d/immich.local".text = lib.mkIf config.services.immich.enable (
+          pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+            [INCLUDES]
+            before = common.conf
+
+            [Definition]
+            failregex = immich-server.*Failed login attempt for user.+from ip address\s?<ADDR>
+            journalmatch = CONTAINER_TAG=immich-server
+          '')
+        );
       };
 
       services.fail2ban = {
@@ -108,6 +118,11 @@ in {
             bantime = 600;
             maxretry = 5;
           };
+          immich-iptables.settings = lib.mkIf config.services.immich.enable {
+            enabled = true;
+            filter = "immich";
+            backend = "systemd";
+          };
           # TODO; figure out if there is any fail2ban things we can do on searx
           # searx-iptables.settings = lib.mkIf config.services.searx.enable {};
         };