{ config, pkgs, ... }: { services.fail2ban = { enable = true; maxretry = 5; # Observe 5 violations before banning an IP ignoreIP = [ "100.64.0.0/24" # Headscale network ]; bantime = "24h"; # Set bantime to one day bantime-increment = { enable = true; # Enable increment of bantime after each violation multipliers = "1 2 4 8 16 32 64"; maxtime = "168h"; # Do not ban for more than 1 week overalljails = true; # Calculate the bantime based on all the violations }; }; # The SystemD Unit file configuration systemd.services.fail2ban = { user = "telegraf"; postStart = "chmod o+r /var/run/fail2ban/fail2ban.socket"; }; }