{ config, pkgs, ... }: { services.fail2ban = { enable = true; package = pkgs.fail2ban; packageFirewall = pkgs.nftables; banaction = "nftables-multiport"; banaction-allports = "nftables-allport"; bantime-increment.enable = true; # ignoreIP = [ "10.0.0.0/24" "10.3.0.0/24" ]; daemonConfig = '' [Definition] loglevel = INFO logtarget = SYSLOG socket = /run/fail2ban/fail2ban.sock pidfile = /run/fail2ban/fail2ban.pid dbfile = /var/lib/fail2ban/fail2ban.sqlite3 ''; jails = { sshd = '' maxretry = 3 mode = aggressive ''; }; }; }