tnvim/modules/nixos/fail2ban.nix

{config, ...}: let
  isFirewallEnabled = config.networking.firewall.enable;
in {
  services.fail2ban = {
    enable = isFirewallEnabled;
    maxretry = 5;
    banaction = "iptables-multiport[blocktype=DROP]";
    ignoreIP = [
      "127.0.0.0/8"
      "10.0.0.0/8"
      "192.168.0.0/16"
    ];
    bantime = "24h";

    bantime-increment = {
      enable = true;
      rndtime = "12m";
      overalljails = true;
      multipliers = "4 8 16 32 64 128 256 512 1024 2048";
      maxtime = "192h";
    };

    jails = {
      sshd.settings = {
        enabled = true;
        port = toString config.services.openssh.ports;
        mode = "aggressive";
        filter = "sshd";
      };
    };
  };
}