moved fail2ban configs into service configs

2025-03-22 13:01:25 -05:00 · 2025-03-22 13:01:25 -05:00 · c7938c3fe7
commit c7938c3fe7
parent 76d68cf146
4 changed files with 73 additions and 44 deletions
--- a/modules/nixos-modules/server/immich.nix
+++ b/modules/nixos-modules/server/immich.nix
@ -1,6 +1,7 @@
 {
  lib,
  config,
+  pkgs,
  ...
 }: let
  mediaLocation = "/var/lib/immich";
@ -59,6 +60,27 @@ in {
        ];
      };
    }
+    (lib.mkIf config.services.fail2ban.enable {
+      environment.etc = {
+        "fail2ban/filter.d/immich.local".text = lib.mkIf config.services.immich.enable (
+          pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+            [Definition]
+            failregex = immich-server.*Failed login attempt for user.+from ip address\s?<ADDR>
+            journalmatch = CONTAINER_TAG=immich-server
+          '')
+        );
+      };
+
+      services.fail2ban = {
+        jails = {
+          immich-iptables.settings = lib.mkIf config.services.immich.enable {
+            enabled = true;
+            filter = "immich";
+            backend = "systemd";
+          };
+        };
+      };
+    })
    (lib.mkIf config.host.impermanence.enable {
      assertions = [
        {