{ lib, config, pkgs, ... }:
with lib; let
  cfg = config.local.net.fail2ban;
in
{
  options.local.net.fail2ban = {
    enable = mkEnableOption "fail2ban";
  };

  config = mkIf cfg.enable {
    services.fail2ban = {
      enable = true;

      bantime = "10m";

      bantime-increment = {
        enable = true;

        maxtime = "48h";
        rndtime = "10m";
        overalljails = true;
      };

      #TODO: No quemar
      ignoreIP = [
        "10.34.0.0/16"
        "fd34:2::/64"
        "37.205.12.147"
        "2a03:3b40:fe:3ec::1"
      ];
    };
  };
}