{ pkgs, lib, config, hosts, ... }:
{
services.openssh.logLevel = "VERBOSE";
services.postgresql.logLinePrefix = "%h ";
/*
systemd.services.nftables.postStart = '' systemctl reload fail2ban '';
*/
services.fail2ban = {
  enable = true;
  banaction = "nftables-multiport";
  banaction-allports = "nftables-allports";
  bantime-increment = {
    enable = true;
    factor = "1";
    formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
    maxtime = "1y";
    multipliers = "";
    overalljails = false;
    rndtime = "";
  };
  packageFirewall = pkgs.nftables;
  ignoreIP = [
    #"0.0.0.0/8"
    #"10.0.0.0/8"
    "127.0.0.0/8"
    #"169.254.0.0/16"
    #"172.16.0.0/12"
    #"192.0.2.0/24"
    "192.168.0.0/16"
    #"224.0.0.0/3"
    #"240.0.0.0/5"
    hosts.mermet.extraArgs.ipv4
    "losurdo.sourcephile.fr"
    "vpn.riseup.net"
  ];
  jails = {
    DEFAULT = ''
    '';
    sshd = ''
      enabled = true
      bantime = 5m
      findtime = 1d
      maxretry = 1
      mode = aggressive
    '';
    postgresql = ''
      enabled = true
      bantime = 1m
      filter = postgresql
      findtime = 1d
      port = 5432
    '';
  };
};
environment.etc."fail2ban/action.d/nftables-common.local".text = ''
  [Init]
  blocktype = drop
'';
environment.etc."fail2ban/filter.d/postgresql.local".text = ''
  [INCLUDES]
  before = common.conf
  [DEFAULT]
  _daemon = postgresql-start
  [Definition]
  journalmatch = _SYSTEMD_UNIT=postgresql.service + _COMM=postgres
  prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
  failregex = ^<HOST>\s+FATAL:\s*no pg_hba.conf entry for host.+$
              ^<HOST>\s+FATAL:\s*no PostgreSQL user name specified in startup packet.+$
              ^<HOST>\s+FATAL:\s*password authentication failed for user.+$
              ^<HOST>\s+FATAL:\s*unsupported frontend protocol.+$
  maxlines = 1
  #ignoreregex = duration:
'';
}