diff --git a/nixos/services/forgejo/default.nix b/nixos/services/forgejo/default.nix
index 5c77e54..b6fd1e7 100644
--- a/nixos/services/forgejo/default.nix
+++ b/nixos/services/forgejo/default.nix
@@ -10,9 +10,15 @@ in {
   options.trivium.services.forgejo = {
     enable = mkEnableOption "forgejo settings";
 
+    fail2ban = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Enable fail2ban jail for failed authentication attempt, invalid credentials, attempted access of unknown user.";
+    };
+
     virtualHost = mkOption {
       type = types.string;
-      description = "Virtualhost to use for nginx's reverse proxy. Usually something like git.<your server>.com";
+      description = "Virtualhost to use for nginx's reverse proxy. Usually something likge git.<your server>.com";
     };
 
     appName = mkOption {
@@ -23,11 +29,17 @@ in {
     disableRegistration = mkOption {
       type = types.bool;
       default = true;
-      description = "Turn this off just to create the first admin account";
+      description = "Turn this off just to create the first admin account.";
     };
   };
 
   config = mkIf cfg.enable {
+    environment.etc."fail2ban/filter.d/gitea.local".text = ''
+      [Definition]
+      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+      ignoreregex =
+    '';
+
     services = {
       nginx = {
         virtualHosts."${cfg.virtualHost}" = {
@@ -41,6 +53,15 @@ in {
         };
       };
 
+      fail2ban.jails.gitea.settings = mkIf cfg.fail2ban {
+        filter = "gitea";
+        logpath = "${config.services.gitea.stateDir}/log/gitea.log";
+        maxretry = "10";
+        findtime = "3600";
+        bantime = "900";
+        action = "iptables-allports";
+      };
+
       forgejo = {
         enable = true;
         lfs.enable = true;