nix-config/modules/nixos-modules/server/home-assistant/fail2ban.nix

{
  lib,
  pkgs,
  config,
  ...
}:
lib.mkIf (config.services.fail2ban.enable && config.services.home-assistant.enable) {
  environment.etc = {
    "fail2ban/filter.d/hass.local".text = (
      pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
        [INCLUDES]
        before = common.conf

        [Definition]
        failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$

        ignoreregex =

        [Init]
        datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
      '')
    );
  };

  services.fail2ban = {
    jails = {
      home-assistant-iptables.settings = {
        enabled = true;
        filter = "hass";
        action = ''iptables-multiport[name=HTTP, port="http,https"]'';
        logpath = "${config.services.home-assistant.configDir}/*.log";
        backend = "auto";
        findtime = 600;
        bantime = 600;
        maxretry = 5;
      };
    };
  };
}