fail2ban: implement for jellyfin

services/jellyfin.nix

@@ -23,7 +23,11 @@
   };
 
   services.caddy.virtualHosts."jellyfin.${service_configs.https.domain}".extraConfig = ''
-    reverse_proxy :${builtins.toString service_configs.ports.jellyfin}
+    reverse_proxy :${builtins.toString service_configs.ports.jellyfin} {
+      header_up X-Real-IP {remote_host}
+      header_up X-Forwarded-For {remote_host}
+      header_up X-Forwarded-Proto {scheme}
+    }
     request_body {
     	max_size 4096MB
     }
@@ -39,4 +43,19 @@
     "render"
     service_configs.media_group
   ];
+
+  # Protect Jellyfin login from brute force attacks
+  services.fail2ban.jails.jellyfin = {
+    enabled = true;
+    settings = {
+      backend = "auto";
+      port = "http,https";
+      logpath = "${config.services.jellyfin.dataDir}/log/log_*.log";
+      # defaults: maxretry=5, findtime=10m, bantime=10m
+    };
+    filter.Definition = {
+      failregex = ''^.*Authentication request for .* has been denied \(IP: "<ADDR>"\)\..*$'';
+      ignoreregex = "";
+    };
+  };
 }