fail2ban: implement for bitwarden

services/bitwarden.nix

@@ -43,4 +43,19 @@
     "Z ${service_configs.vaultwarden.path} 0700 vaultwarden vaultwarden"
     "Z ${config.services.vaultwarden.backupDir} 0700 vaultwarden vaultwarden"
   ];
+
+  # Protect Vaultwarden login from brute force attacks
+  services.fail2ban.jails.vaultwarden = {
+    enabled = true;
+    settings = {
+      backend = "systemd";
+      port = "http,https";
+      # defaults: maxretry=5, findtime=10m, bantime=10m
+    };
+    filter.Definition = {
+      failregex = ''^.*Username or password is incorrect\. Try again\. IP: <HOST>\..*$'';
+      ignoreregex = "";
+      journalmatch = "_SYSTEMD_UNIT=vaultwarden.service";
+    };
+  };
 }