From fb241568a2edf3a90b176f0c30e02875e4c31fe9 Mon Sep 17 00:00:00 2001
From: TheWanderingCrow <contact@wanderingcrow.net>
Date: Mon, 16 Mar 2026 10:23:02 -0400
Subject: [PATCH] setup fail2ban with expected internal IP ranges on ignore

---
 hosts/common/core/ssh.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/hosts/common/core/ssh.nix b/hosts/common/core/ssh.nix
index 6193f07..7169fdc 100644
--- a/hosts/common/core/ssh.nix
+++ b/hosts/common/core/ssh.nix
@@ -32,5 +32,11 @@
     };
   };
 
-  #services.fail2ban.enable = lib.mkDefault true; # This comes with an SSH jail preconfigured, expanded fail2ban can be found in modules/services
+  services.fail2ban = {
+    enable = lib.mkDefault true;
+    ignoreIP = [ # Expected internal IP ranges
+      "172.16.0.0/12"
+      "192.168.0.0/16"
+    ];
+  };
 }