{ config, pkgs, ... }: { services.fail2ban = { enable = true; maxretry = 10; ignoreIP = [ "127.0.0.0/8" "10.0.0.0/8" "192.168.0.0/16" "78.94.116.222" ]; bantime-increment.enable = true; banaction-allports = "iptables"; jails = { nginx-deny = '' enabled = true backend = auto logpath = /var/log/nginx/*access.log ''; nginx-botsearch = '' enabled = true ''; grafana = '' enabled = true ''; }; }; environment.etc."fail2ban/filter.d/nginx-deny.conf".text = '' [Definition] failregex = ^.*"(GET|HEAD|POST|PUT|DELETE).*" (400|401|403|405|413|429) .*$ ignoreregex = ''; }