# Filter and ban unauthorized access { config, lib, ... }: let cfg = config.my.services.fail2ban; wgNetCfg = config.my.services.wireguard.net; in { options.my.services.fail2ban = with lib; { enable = mkEnableOption "fail2ban daemon"; }; config = lib.mkIf cfg.enable { services.fail2ban = { enable = true; ignoreIP = [ # Wireguard IPs "${wgNetCfg.v4.subnet}.0/${toString wgNetCfg.v4.mask}" "${wgNetCfg.v6.subnet}::/${toString wgNetCfg.v6.mask}" # Loopback addresses "127.0.0.0/8" ]; maxretry = 5; bantime-increment = { enable = true; rndtime = "5m"; # Use 5 minute jitter to avoid unban evasion }; jails.DEFAULT.settings = { findtime = "4h"; bantime = "10m"; }; }; my.system.persist.directories = [ "/var/lib/${config.systemd.services.fail2ban.serviceConfig.StateDirectory}" ]; }; }