its beginning to look alot like christmas

modules/server/default.nix

@@ -2,7 +2,14 @@
 with lib;
 let cfg = config.void.server;
 in {
-  imports = [ ./dns ./nginx.nix ./services ./postgresql.nix ./redis.nix ];
+  imports = [
+    ./dns
+    ./nginx.nix
+    ./services
+    ./postgresql.nix
+    ./redis.nix
+    ./fail2ban.nix
+  ];
 
   options.void.server = { isServer = mkEnableOption false; };
 

modules/server/fail2ban.nix

@@ -0,0 +1,40 @@
+{ config, lib, ... }:
+with lib;
+let cfg = config.void.server.fail2ban;
+in {
+  options.void.server.fail2ban = { enable = mkEnableOption false; };
+
+  config = mkIf cfg.enable {
+    # again thank you notashelf (again)
+    services.fail2ban = {
+      enable = true;
+      ignoreIP = [
+        "127.0.0.1/8" # localhost
+        "100.64.0.0/16"
+        "192.168.0.0/16"
+      ];
+      banaction = "iptables-multiport";
+      banaction-allports = lib.mkDefault "iptables-allport";
+
+      maxretry = 7;
+      bantime = "10m";
+      bantime-increment = {
+        enable = true;
+        rndtime = "12m";
+        overalljails = true;
+        multipliers = "4 8 16 32 64 128 256 512 1024 2048";
+        maxtime = "10000h"; # ill see you when nix eval times are fast
+      };
+      daemonSettings = {
+        Definition = {
+          loglevel = "INFO";
+          logtarget = "/var/log/fail2ban/fail2ban.log";
+          socket = "/run/fail2ban/fail2ban.sock";
+          pidfile = "/run/fail2ban/fail2ban.pid";
+          dbfile = "/var/lib/fail2ban/fail2ban.sqlite3";
+          dbpurageage = "1d";
+        };
+      };
+    };
+  };
+}

modules/server/services/forgejo.nix

@@ -63,7 +63,7 @@ in {
     services.fail2ban.jails.forgejo = {
       settings = {
         filter = "forgejo";
-        action = "nftables-multiport";
+        action = "iptables-multiport";
         mode = "aggressive";
         maxretry = 5;
         findtime = 3600;