{ pkgs, lib, config, ... }: let inherit (lib) mkIf; cfg = config.services.fail2ban; in { config = mkIf cfg.enable { services.fail2ban = { extraPackages = with pkgs; [ nftables ]; maxretry = 5; bantime = "10m"; ignoreIP = [ "100.64.0.0/16" # Tailscale ]; banaction = "nftables-multiport"; banaction-allports = "nftables-allports"; bantime-increment = { enable = true; multipliers = "2 8 32 128 512 2048"; maxtime = "2400h"; # 100 days overalljails = true; # Calculate the bantime based on all the violations }; }; }; }