Add fail2ban tasks for forgejo

roles/forgejo/files/fail2ban/forgejo-filter.conf

@@ -0,0 +1,5 @@
+# Fail2ban forgejo filter
+
+[Definition]
+failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+ignoreregex =

roles/forgejo/tasks/fail2ban.yml

@@ -0,0 +1,20 @@
+---
+- name: Copy fail2ban filter
+  become: true
+  ansible.builtin.copy:
+    src: fail2ban/forgejo-filter.conf
+    dest: /etc/fail2ban/filter.d/forgejo.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: Restart fail2ban service
+
+- name: Copy fail2ban jail
+  become: true
+  ansible.builtin.template:
+    src: fail2ban/forgejo-jail.conf.j2
+    dest: /etc/fail2ban/jail.d/forgejo.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: Restart fail2ban service

roles/forgejo/tasks/main.yml

@@ -19,3 +19,7 @@
 
 - name: Include start tasks
   ansible.builtin.include_tasks: start.yml
+
+# fail2ban tasks need the forgejo log file, which should be created when forgejo runs
+- name: Include fail2ban tasks
+  ansible.builtin.include_tasks: fail2ban.yml

roles/forgejo/templates/fail2ban/forgejo-jail.conf.j2

@@ -0,0 +1,8 @@
+[forgejo]
+enabled = true
+filter = forgejo
+logpath = {{ forgejo_log_dir }}/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports