nixos-config/hosts/web/firewall-web.nix

{ config, lib, pkgs, ... }:

{
  networking.firewall = {
    allowPing = true;
    # allowed TCP range
    allowedTCPPorts = [ 22 80 443 9002 2021 8096 8920];
  };
  services.fail2ban = {
    enable = true;
    maxretry = 2;
    ignoreIP = [
      "127.0.0.0/8" 
      "212.114.16.52"
    ];
  };
}