{ pkgs, lib, ... }:
{
  services.fail2ban = {
    banaction = lib.mkDefault "nftables-multiport";
    banaction-allports = lib.mkDefault "nftables-allports";
    packageFirewall = lib.mkDefault pkgs.nftables;
    bantime-increment = {
      enable = true;
      factor = "1";
      formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
      overalljails = false;
      rndtime = "";
    };
  };
  /*
    systemd.services.nftables.postStart = '' systemctl reload fail2ban '';
  */
  services.openssh.settings.LogLevel = "VERBOSE";
  services.postgresql.settings.log_line_prefix = "%h ";
  environment.etc."fail2ban/action.d/nftables-common.local".text = ''
    [Init]
    blocktype = drop
  '';
  environment.etc."fail2ban/filter.d/postgresql.local".text = ''
    [INCLUDES]
    before = common.conf
    [DEFAULT]
    _daemon = postgresql-start
    [Definition]
    journalmatch = _SYSTEMD_UNIT=postgresql.service + _COMM=postgres
    prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
    failregex = ^<HOST>\s+FATAL:\s*no pg_hba.conf entry for host.+$
                ^<HOST>\s+FATAL:\s*no PostgreSQL user name specified in startup packet.+$
                ^<HOST>\s+FATAL:\s*password authentication failed for user.+$
                ^<HOST>\s+FATAL:\s*unsupported frontend protocol.+$
    maxlines = 1
    #ignoreregex = duration:
  '';
}