From 80384b2afedb41e675f377ed34698e80621e8559 Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine97.martin@gmail.com>
Date: Mon, 22 Feb 2021 15:56:01 +0100
Subject: [PATCH] bitwarden_rs: setup fail2ban

---
 services/bitwarden_rs.nix | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/services/bitwarden_rs.nix b/services/bitwarden_rs.nix
index 8d26243..10ce7cc 100644
--- a/services/bitwarden_rs.nix
+++ b/services/bitwarden_rs.nix
@@ -91,6 +91,39 @@ in {
       paths = [ "/var/lib/bitwarden_rs" ];
       exclude = [ "/var/lib/bitwarden_rs/icon_cache" ];
     };
+
+    services.fail2ban.jails = {
+      bitwarden_rs = ''
+        enabled = true
+        filter = bitwarden_rs
+        port = http,https
+        maxretry = 5
+      '';
+
+      # Admin page isn't enabled by default, but just in case...
+      bitwarden_rs-admin = ''
+        enabled = true
+        filter = bitwarden_rs-admin
+        port = http,https
+        maxretry = 2
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/bitwarden_rs.conf".text = ''
+        [Definition]
+        failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
+        ignoreregex =
+        journalmatch = _SYSTEMD_UNIT=bitwarden_rs.service
+      '';
+
+      "fail2ban/filter.d/bitwarden_rs-admin.conf".text = ''
+        [Definition]
+        failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
+        ignoreregex =
+        journalmatch = _SYSTEMD_UNIT=bitwarden_rs.service
+      '';
+    };
   };
 
 }