{ pkgs, lib, config, hosts, ... }:
{
services.openssh.logLevel = "VERBOSE";
/*
systemd.services.nftables.postStart = ''
  systemctl reload fail2ban
'';
*/
services.fail2ban = {
  enable = true;
  banaction = "nftables-multiport";
  banaction-allports = "nftables-allports";
  bantime-increment = {
    enable = true;
    factor = "1";
    formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
    maxtime = "1y";
    multipliers = "";
    overalljails = false;
    rndtime = "";
  };
  packageFirewall = pkgs.nftables;
  ignoreIP = [
    hosts.mermet._module.args.ipv4
    "losurdo.sourcephile.fr"
  ];
  jails = {
    DEFAULT = ''
    '';
    sshd = ''
      enabled = true
      bantime = 5m
      findtime = 1d
      maxretry = 1
      mode = aggressive
    '';
    postfix = ''
      enabled = true
      bantime = 5m
      findtime = 1d
      mode = aggressive
    '';
  };
};
environment.etc."fail2ban/action.d/nftables-common.local".text = ''
  [Init]
  blocktype = drop
'';
}