# Fail2ban configuration for protecting against brute force attacks
{ config, lib, ... }:

with lib;

{
  options.security.fail2ban-enhanced = {
    enable = mkEnableOption "enhanced fail2ban protection";

    homeIP = mkOption {
      type = types.nullOr types.str;
      default = null;
      example = "10.0.0.0/24";
      description = "Home IP or network to whitelist";
    };

    bantime = mkOption {
      type = types.str;
      default = "1h";
      description = "Ban duration";
    };

    maxretry = mkOption {
      type = types.int;
      default = 3;
      description = "Maximum retry attempts";
    };
  };

  config = mkIf config.security.fail2ban-enhanced.enable {
    services.fail2ban = {
      enable = true;
      maxretry = config.security.fail2ban-enhanced.maxretry;
      bantime = config.security.fail2ban-enhanced.bantime;

      ignoreIP = [
        "127.0.0.0/8"
        "::1"
      ] ++ optional (config.security.fail2ban-enhanced.homeIP != null)
             config.security.fail2ban-enhanced.homeIP;

      jails = {
        nginx-http-auth = ''
          enabled = true
          filter = nginx-http-auth
          logpath = /var/log/nginx/access.log
          maxretry = 5
          bantime = 1h
          findtime = 10m
        '';
        nginx-botsearch = ''
          enabled = true
          filter = nginx-botsearch
          logpath = /var/log/nginx/error.log
          maxretry = 2
          bantime = 1h
        '';
      };
    };
  };
}