From d43ece8ac4f509e1859df98fa8647e0c20223b77 Mon Sep 17 00:00:00 2001
From: ant <ant@domain.xyz>
Date: Fri, 26 Sep 2025 12:50:03 +0200
Subject: [PATCH] forgejo: add fail2ban

---
 os/forgejo.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/os/forgejo.nix b/os/forgejo.nix
index b534376..1883fda 100644
--- a/os/forgejo.nix
+++ b/os/forgejo.nix
@@ -6,8 +6,19 @@ let utils = import ./utils.nix; in
   services.fail2ban.jails.forgejo = {
     enabled = true;
     filter = "forgejo";
+    settings = {
+      action = "iptables-allports";
+      mode = "aggressive";
+    };
   };
 
+  environment.etc."fail2ban/filter.d/forgejo.conf".text = ''
+    [Definition]
+    failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>:.*$
+    journalmatch = _SYSTEMD_UNIT=forgejo.service
+    '';
+
+
   services.forgejo = {
     enable = true;
     lfs.enable = true;