From 00df5ff49b0fae966b84fa626db4ac6b11ebee1f Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Thu, 13 Oct 2022 11:13:13 +0200
Subject: [PATCH 1/4] services: photoprism: log access in specific file

---
 services/photoprism.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/services/photoprism.nix b/services/photoprism.nix
index 30d38e2..e971968 100644
--- a/services/photoprism.nix
+++ b/services/photoprism.nix
@@ -76,6 +76,7 @@ in {
           proxy_read_timeout 600;
           proxy_send_timeout 600;
           client_max_body_size 100m;
+          access_log /var/log/nginx/photoprism_access.log;
         '';
       };
     };

From 897c1f57a87b5da6cadfb320a938085747247cf8 Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Thu, 13 Oct 2022 11:47:24 +0200
Subject: [PATCH 2/4] services: photoprism: add fail2ban rules

---
 services/photoprism.nix | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/services/photoprism.nix b/services/photoprism.nix
index e971968..bd413bb 100644
--- a/services/photoprism.nix
+++ b/services/photoprism.nix
@@ -91,5 +91,23 @@ in {
         "${cfg.home}/storage"
       ];
     };
+
+    services.fail2ban.jails = {
+      photoprism = ''
+        enabled = true
+        filter = photoprism-failed-login
+        port = http,https
+        maxretry = 3
+        logpath = /var/log/nginx/photoprism_access.log
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/photoprism-failed-login.conf".text = ''
+        [Definition]
+        failregex = ^<HOST> -.*"POST \/api\/v1\/session HTTP[^"]*" 400 .*$
+        ignoreregex =
+      '';
+    };
   };
 }

From a116894bbae8f34a4709e21060d2ab9d8b34402a Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Thu, 13 Oct 2022 11:13:13 +0200
Subject: [PATCH 3/4] services: photoprism: log access in specific file

---
 services/photoprism.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/services/photoprism.nix b/services/photoprism.nix
index 30d38e2..ca539d8 100644
--- a/services/photoprism.nix
+++ b/services/photoprism.nix
@@ -76,6 +76,7 @@ in {
           proxy_read_timeout 600;
           proxy_send_timeout 600;
           client_max_body_size 100m;
+          access_log syslog:server=unix:/dev/log,tag=photoprism;
         '';
       };
     };

From c7557fdef9018b2fcfc94535cfd8013f1bf08df2 Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Thu, 13 Oct 2022 11:47:24 +0200
Subject: [PATCH 4/4] services: photoprism: add fail2ban rules

---
 services/photoprism.nix | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/services/photoprism.nix b/services/photoprism.nix
index ca539d8..6cb1577 100644
--- a/services/photoprism.nix
+++ b/services/photoprism.nix
@@ -91,5 +91,23 @@ in {
         "${cfg.home}/storage"
       ];
     };
+
+    services.fail2ban.jails = {
+      photoprism = ''
+        enabled = true
+        filter = photoprism-failed-login
+        port = http,https
+        maxretry = 3
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/photoprism-failed-login.conf".text = ''
+        [Definition]
+        failregex = ^<HOST> -.*"POST \/api\/v1\/session HTTP[^"]*" 400 .*$
+        ignoreregex =
+        journalmatch = _SYSTEMD_UNIT=nginx.service
+      '';
+    };
   };
 }