nix-config/modules/nixos-modules/server/forgejo/fail2ban.nix

{
  lib,
  config,
  pkgs,
  ...
}: {
  options.services.forgejo = {
    fail2ban = {
      enable = lib.mkOption {
        type = lib.types.bool;
        default = config.services.forgejo.enable && config.services.fail2ban.enable;
      };
    };
  };

  config = lib.mkIf config.services.forgejo.fail2ban.enable {
    environment.etc = {
      "fail2ban/filter.d/forgejo.local".text = lib.mkIf config.services.forgejo.enable (
        pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
          [Definition]
          failregex = ".*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>"
        '')
      );
    };

    services.fail2ban = {
      jails = {
        forgejo-iptables.settings = lib.mkIf config.services.forgejo.enable {
          enabled = true;
          filter = "forgejo";
          action = ''iptables-multiport[name=HTTP, port="http,https"]'';
          logpath = "${config.services.forgejo.settings.log.ROOT_PATH}/*.log";
          backend = "auto";
          findtime = 600;
          bantime = 600;
          maxretry = 5;
        };
      };
    };
  };
}