depot/modules/fail2ban/default.nix

{ config, depot, ... }:
{
  services.fail2ban = {
    enable = true;
    banaction = "iptables-multiport[blocktype=DROP]";
    jails.sshd = ''
      enabled = true
      port = 22
      mode = aggressive
    '';
    ignoreIP = [
      "10.0.0.0/8"
      depot.reflection.interfaces.primary.addr
    ];
    bantime-increment = {
      enable = true;
      maxtime = "48h";
    };
  };
}