# vim: ts=2
{...}: {
  services.fail2ban = {
    enable = true;
    maxretry = 2; # ban after 2 failures
    daemonConfig = ''
      [Definition]
      logtarget = SYSLOG
      socket    = /run/fail2ban/fail2ban.sock
      pidfile   = /run/fail2ban/fail2ban.pid
      dbfile    = /srv/fail2ban/fail2ban.sqlite3
    '';
    bantime-increment = {
      enable = true;
      rndtime = "8m";
      overalljails = true;
      multipliers = "2 4 16 128 256";
      maxtime = "72h";
    };
  };
}