infrastructure/modules/nixos/dgn-firewall/streams.nix

let
  act = a: [
    "nft46"
    "${a} element inet reaction ipvXbans { <ip> }"
  ];

  journalctl = u: [
    "journalctl"
    "-fn0"
    "-u"
    "${u}.service"
  ];

  ban = after: {
    ban.cmd = act "add";
    unban = {
      inherit after;

      cmd = act "delete";
    };
  };

  available = {
    ssh = {
      cmd = journalctl "sshd";

      filters = {
        failedlogin = {
          regex = [
            "authentication failure;.*rhost=<ip>"
            "Connection reset by authenticating user .* <ip>"
            "Connection closed by invalid user .* <ip> port .*"
            "Failed password for .* from <ip>"
            "Invalid user .* from <ip> port .*"
            "Unable to negotiate with <ip> port .*"
          ];
          actions = ban "48h";
        };
      };
    };
  };
in

builtins.mapAttrs (_: builtins.foldl' (a: s: a // { ${s} = available.${s}; }) { }) {
  default = [ "ssh" ];
}