From a4db741ed4775895c42f21e201f673b5c6216cca Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Thu, 13 Oct 2022 11:47:24 +0200
Subject: [PATCH] services: photoprism: add fail2ban rules

---
 services/photoprism.nix | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/services/photoprism.nix b/services/photoprism.nix
index ca539d8..9ba4191 100644
--- a/services/photoprism.nix
+++ b/services/photoprism.nix
@@ -91,5 +91,23 @@ in {
         "${cfg.home}/storage"
       ];
     };
+
+    services.fail2ban.jails = {
+      photoprism = ''
+        enabled = true
+        filter = photoprism-failed-login
+        port = http,https
+        maxretry = 3
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/photoprism-failed-login.conf".text = ''
+        [Definition]
+        failregex = ^.* photoprism: <HOST> - .*"POST \/api\/v1\/session HTTP[^"]*" 400 .*$
+        ignoreregex =
+        journalmatch = _SYSTEMD_UNIT=nginx.service _TRANSPORT=syslog
+      '';
+    };
   };
 }