{ lib, config, pkgs, ... }:
with lib; let
  cfg = config.local.net.fail2ban;
  inherit (config.local) nets;
in
{
  options.local.net.fail2ban = {
    enable = mkEnableOption "fail2ban";
  };

  config = mkIf cfg.enable {
    services.fail2ban = {
      enable = true;

      bantime = "10m";

      bantime-increment = {
        enable = true;

        maxtime = "48h";
        rndtime = "10m";
        overalljails = true;
      };

      ignoreIP = [
        nets.static-vpn.v6.cidr
        nets.gate0.v6.cidr
        nets.gate-public.hosts.gate.v4.address
        nets.gate-public.hosts.gate.v6.address
      ];
    };
  };
}