{ pkgs, lib, config, machines, ... }:
{
services.sshd.logLevel = "VERBOSE";
systemd.services.nftables.postStart = ''
  systemctl restart fail2ban
'';
services.fail2ban = {
  enable = true;
  banaction = "nftables-multiport";
  banaction-allports = "nftables-allports";
  bantime-increment = {
    enable = true;
    factor = "1";
    formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
    maxtime = "1y";
    multipliers = "";
    overalljails = false;
    rndtime = "";
  };
  packageFirewall = pkgs.nftables;
  ignoreIP = [
    machines.mermet.extraArgs.ipv4
    machines.losurdo.extraArgs.ipv4
    "198.252.154.1" # wren.riseup.net
  ];
  jails = {
    DEFAULT = ''
    '';
    sshd = ''
      enabled = true
      bantime = 5m
      findtime = 1d
      maxretry = 1
      mode = aggressive
    '';
    postfix = ''
      enabled = true
      bantime = 5m
      findtime = 1d
      mode = aggressive
    '';
  };
};
environment.etc."fail2ban/action.d/nftables-common.local".text = ''
  [Init]
  blocktype = drop
'';
}