From cdeada1f86a7c886ec2783471ef2370968da3d09 Mon Sep 17 00:00:00 2001
From: Christoph Schmatzler <christoph@schmatzler.com>
Date: Thu, 11 Dec 2025 20:21:18 +0000
Subject: [PATCH] gitea fail2ban

---
 hosts/michael/default.nix |  1 +
 modules/fail2ban.nix      | 40 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 modules/fail2ban.nix

diff --git a/hosts/michael/default.nix b/hosts/michael/default.nix
index ce6e5db..0a5a211 100644
--- a/hosts/michael/default.nix
+++ b/hosts/michael/default.nix
@@ -13,6 +13,7 @@
 		./disk-config.nix
 		./hardware-configuration.nix
 		../../modules/core.nix
+		../../modules/fail2ban.nix
 		../../modules/gitea.nix
 		../../modules/nixos.nix
 		inputs.disko.nixosModules.disko
diff --git a/modules/fail2ban.nix b/modules/fail2ban.nix
new file mode 100644
index 0000000..a63c712
--- /dev/null
+++ b/modules/fail2ban.nix
@@ -0,0 +1,40 @@
+{...}: {
+	services.fail2ban = {
+		enable = true;
+		maxretry = 5;
+		bantime = "10m";
+		bantime-increment = {
+			enable = true;
+			multipliers = "1 2 4 8 16 32 64";
+			maxtime = "168h";
+			overalljails = true;
+		};
+		jails = {
+			sshd = {
+				settings = {
+					enabled = true;
+					port = "ssh";
+					filter = "sshd";
+					maxretry = 3;
+				};
+			};
+			gitea = {
+				settings = {
+					enabled = true;
+					filter = "gitea";
+					logpath = "/var/lib/gitea/log/gitea.log";
+					maxretry = 10;
+					findtime = 3600;
+					bantime = 900;
+					action = "iptables-allports";
+				};
+			};
+		};
+	};
+
+	environment.etc."fail2ban/filter.d/gitea.local".text = ''
+		[Definition]
+		failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+		ignoreregex =
+	'';
+}