From d9236152aaf1002cfad221d66ed16c472244cdd2 Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Tue, 20 Jan 2026 14:39:38 -0500
Subject: [PATCH] fail2ban: implement for immich

---
 services/immich.nix | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/services/immich.nix b/services/immich.nix
index b9b0e2f..ed9a21d 100644
--- a/services/immich.nix
+++ b/services/immich.nix
@@ -42,4 +42,19 @@
     "video"
     "render"
   ];
+
+  # Protect Immich login from brute force attacks
+  services.fail2ban.jails.immich = {
+    enabled = true;
+    settings = {
+      backend = "systemd";
+      port = "http,https";
+      # defaults: maxretry=5, findtime=10m, bantime=10m
+    };
+    filter.Definition = {
+      failregex = ''^.*Failed login attempt for user .* from ip address <HOST>.*$'';
+      ignoreregex = "";
+      journalmatch = "_SYSTEMD_UNIT=immich-server.service";
+    };
+  };
 }