main
 1{lib, ...}: {
 2  flake.modules.nixos."services/forgejo" = {config, ...}:
 3    lib.mkIf config.services.fail2ban.enable {
 4      services.fail2ban.jails.forgejo-ssh = {
 5        settings = {
 6          filter = "forgejo-ssh";
 7          action = "iptables-allports";
 8          mode = "aggressive";
 9          maxretry = 3;
10          findtime = 3600;
11          bantime = 900;
12        };
13      };
14      environment.etc."fail2ban/filter.d/forgejo-ssh.conf".text = ''
15        [Definition]
16        failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>$
17        journalmatch = _SYSTEMD_UNIT=forgejo.service
18      '';
19    };
20}