{ pkgs, hosts, ... }:
{
  services.openssh.settings.LogLevel = "VERBOSE";
  /*
    systemd.services.nftables.postStart = ''
    systemctl reload fail2ban
    '';
  */
  services.fail2ban = {
    enable = true;
    banaction = "nftables-multiport";
    banaction-allports = "nftables-allports";
    bantime-increment = {
      enable = true;
      factor = "1";
      formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
      maxtime = "1y";
      overalljails = false;
      rndtime = "";
    };
    packageFirewall = pkgs.nftables;
    ignoreIP = [
      hosts.mermet._module.args.ipv4
      "losurdo.sourcephile.fr"
    ];
    jails = {
      sshd.settings = {
        enabled = true;
        bantime = "5m";
        findtime = "1d";
        maxretry = "1";
        mode = "aggressive";
      };
      postfix.settings = {
        enabled = true;
        bantime = "5m";
        filter = "postfix";
        findtime = "1d";
        mode = "aggressive";
        port = 465;
      };
      postgresql.settings = {
        enabled = true;
        bantime = "5m";
        filter = "postgresql";
        findtime = "1d";
        port = 5432;
      };
    };
  };
  environment.etc."fail2ban/action.d/nftables-common.local".text = ''
    [Init]
    blocktype = drop
  '';
}