{ config, pkgs, lib, ... }:

{
  services.fail2ban = {
    enable = true;

    bantime = "1h";
    bantime-increment = {
      enable = true;
      maxtime = "168h";
      factor = "4";
    };

    maxretry = 5;

    ignoreIP = [
      "127.0.0.0/8"
      "::1"
      "100.64.0.0/10"
    ];

    jails = {
      sshd = {
        settings = {
          enabled = true;
          port = "22";
          filter = "sshd[mode=aggressive]";
          maxretry = 5;
          findtime = "10m";
          bantime = "1h";
        };
      };

      nginx-botsearch = {
        settings = {
          enabled = true;
          port = "http,https";
          filter = "nginx-botsearch";
          logpath = "/var/log/nginx/access.log";
          maxretry = 5;
          findtime = "10m";
          bantime = "1h";
        };
      };

      nginx-http-auth = {
        settings = {
          enabled = true;
          port = "http,https";
          filter = "nginx-http-auth";
          logpath = "/var/log/nginx/error.log";
          maxretry = 5;
          findtime = "10m";
          bantime = "1h";
        };
      };

      nginx-bad-request = {
        settings = {
          enabled = true;
          port = "http,https";
          filter = "nginx-bad-request";
          logpath = "/var/log/nginx/access.log";
          maxretry = 15;
          findtime = "10m";
          bantime = "30m";
        };
      };
    };
  };
}