From 9bc13861b4a54072b25677fde81dcfc3b6f6021c Mon Sep 17 00:00:00 2001
From: Leyla Becker <git@jan-leila.com>
Date: Tue, 18 Mar 2025 18:32:57 -0500
Subject: [PATCH] added fail2ban filter for immich

---
 modules/nixos-modules/server/fail2ban.nix | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/modules/nixos-modules/server/fail2ban.nix b/modules/nixos-modules/server/fail2ban.nix
index a84b5ad..f486d73 100644
--- a/modules/nixos-modules/server/fail2ban.nix
+++ b/modules/nixos-modules/server/fail2ban.nix
@@ -46,6 +46,16 @@ in {
             datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
           '')
         );
+        "fail2ban/filter.d/immich.local".text = lib.mkIf config.services.immich.enable (
+          pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+            [INCLUDES]
+            before = common.conf
+
+            [Definition]
+            failregex = immich-server.*Failed login attempt for user.+from ip address\s?<ADDR>
+            journalmatch = CONTAINER_TAG=immich-server
+          '')
+        );
       };
 
       services.fail2ban = {
@@ -108,6 +118,11 @@ in {
             bantime = 600;
             maxretry = 5;
           };
+          immich-iptables.settings = lib.mkIf config.services.immich.enable {
+            enabled = true;
+            filter = "immich";
+            backend = "systemd";
+          };
           # TODO; figure out if there is any fail2ban things we can do on searx
           # searx-iptables.settings = lib.mkIf config.services.searx.enable {};
         };