From f2ef5627249e41ea71aaaf8a47542530ceae7a03 Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Tue, 20 Jan 2026 14:39:43 -0500
Subject: [PATCH] fail2ban: implement for jellyfin

---
 services/jellyfin.nix | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/services/jellyfin.nix b/services/jellyfin.nix
index 3a75770..3e6fe6f 100644
--- a/services/jellyfin.nix
+++ b/services/jellyfin.nix
@@ -23,7 +23,11 @@
   };
 
   services.caddy.virtualHosts."jellyfin.${service_configs.https.domain}".extraConfig = ''
-    reverse_proxy :${builtins.toString service_configs.ports.jellyfin}
+    reverse_proxy :${builtins.toString service_configs.ports.jellyfin} {
+      header_up X-Real-IP {remote_host}
+      header_up X-Forwarded-For {remote_host}
+      header_up X-Forwarded-Proto {scheme}
+    }
     request_body {
     	max_size 4096MB
     }
@@ -39,4 +43,19 @@
     "render"
     service_configs.media_group
   ];
+
+  # Protect Jellyfin login from brute force attacks
+  services.fail2ban.jails.jellyfin = {
+    enabled = true;
+    settings = {
+      backend = "auto";
+      port = "http,https";
+      logpath = "${config.services.jellyfin.dataDir}/log/log_*.log";
+      # defaults: maxretry=5, findtime=10m, bantime=10m
+    };
+    filter.Definition = {
+      failregex = ''^.*Authentication request for .* has been denied \(IP: "<ADDR>"\)\..*$'';
+      ignoreregex = "";
+    };
+  };
 }