{ config, lib, pkgs, ... }: { networking.firewall = { allowPing = true; # allowed TCP range allowedTCPPorts = [ 22 80 2342 9001 9002]; }; services.fail2ban = { enable = true; maxretry = 2; ignoreIP = [ "127.0.0.0/8" "212.114.16.52" ]; }; }