From b263c1fc8498586122f0c3aadf3d0c054d52aaf0 Mon Sep 17 00:00:00 2001
From: Tom Hubrecht <tom.hubrecht@dgnum.eu>
Date: Thu, 16 Jan 2025 15:27:41 +0100
Subject: [PATCH] feat(dgn-firewall): Ban f*cking AI crawlers again

---
 modules/nixos/dgn-firewall/default.nix |  9 ++++++---
 modules/nixos/dgn-firewall/streams.nix | 12 ++++++++++++
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/modules/nixos/dgn-firewall/default.nix b/modules/nixos/dgn-firewall/default.nix
index 5e42bed..829b68a 100644
--- a/modules/nixos/dgn-firewall/default.nix
+++ b/modules/nixos/dgn-firewall/default.nix
@@ -86,9 +86,12 @@ in
 
       stop = [ (nft "delete table inet reaction") ];
 
-      streams = {
-        inherit (streams') ssh;
-      } // (optionalAttrs config.services.nginx.enable { inherit (streams') ai-crawlers; });
+      streams =
+        {
+          inherit (streams') ssh;
+        }
+        // (optionalAttrs config.services.nginx.enable { inherit (streams') ai-crawlers; })
+        // (optionalAttrs config.services.forgejo.enable { inherit (streams') forgejo-slow-crawlers; });
     };
   };
 }
diff --git a/modules/nixos/dgn-firewall/streams.nix b/modules/nixos/dgn-firewall/streams.nix
index ba37e1f..c67c042 100644
--- a/modules/nixos/dgn-firewall/streams.nix
+++ b/modules/nixos/dgn-firewall/streams.nix
@@ -63,6 +63,18 @@ in
     };
   };
 
+  forgejo-slow-crawlers = {
+    cmd = journalctl "forgejo";
+    filters.slowness = {
+      regex = [
+        "router: slow .* GET /.* for <ip>:0, elapsed .*"
+      ];
+      actions = ban "72h";
+      retry = 15;
+      retryPeriod = "2h";
+    };
+  };
+
   ssh = {
     cmd = journalctl "sshd";