From aa2c61dcd30fcc6040456f6820db65dc59d77121 Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Tue, 20 Jan 2026 14:35:20 -0500
Subject: [PATCH] fail2ban: implement for caddy basic auth

---
 services/caddy.nix | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/services/caddy.nix b/services/caddy.nix
index b81a8e9..cbfea99 100644
--- a/services/caddy.nix
+++ b/services/caddy.nix
@@ -80,4 +80,21 @@ in
   networking.firewall.allowedUDPPorts = [
     service_configs.ports.https
   ];
+
+  # Protect Caddy basic auth endpoints from brute force attacks
+  services.fail2ban.jails.caddy-auth = {
+    enabled = true;
+    settings = {
+      backend = "auto";
+      port = "http,https";
+      logpath = "/var/log/caddy/access-*.log";
+      # defaults: maxretry=5, findtime=10m, bantime=10m
+    };
+    filter.Definition = {
+      # Match Caddy JSON logs with 401 Unauthorized status (failed basic auth)
+      failregex = ''^.*"remote_ip":"<HOST>".*"status":401.*$'';
+      ignoreregex = "";
+      datepattern = ''"ts":{Epoch}\.'';
+    };
+  };
 }