{ config, pkgs, ... }:

{
  services.openssh = {
    enable = true;
    ports = [ 22 ];
    settings = {
      AllowUsers = [ "wieerwill" ];
      X11Forwarding = false;
      PasswordAuthentication = false;
      PermitRootLogin = "prohibit-password";
      KbdInteractiveAuthentication = false;
    };
  };

  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 
      22  # SSH 
      80  # HTTP
      443 # HTTPS
      22000 # Syncthing
      9050  # Tor SOCKS
      9051  # Tor Control
      5353  # Tor DNS (if using virtual DNS)
    ];
    allowedUDPPorts = [ ];
  };

  services.fail2ban = {
    enable = true;
    maxretry = 3; # Ban IP after 3 failures
    bantime = "24h"; # Ban IPs for one day on the first ban
    bantime-increment = {
      enable = true; # increment of bantime after each violation
      #formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
      multipliers = "1 2 4 8 16 32 64";
      maxtime = "168h"; # Do not ban for more than 1 week
      overalljails = true; # bantime based on all violations
    };
  };
  
}