Nothing for the Nokia 7.2, and yet the 4.2 sits there with more than a half-dozen options. WTF??

And I self-host precisely because of the money I save using surplussed hardware. I have a symmetrical 1Gb SOHO fibre connection from my ISP, so I can host whatever the hell I want, I just need to stand it up. And a beefy older system with oodles of RAM is perfect for spinning up VMs of various platforms for various tasks. This saves me craploads of money over even a single VM on cloud platforms like Vultr. Plus, even if I were to support a “heavy” service sufficiently in demand to warrant its own iron, it still costs me less than a year’s worth of hosting to obtain a decent platform for that service to run on all by it’s lonesome.

My only cloud costs end up being those services which are distributed for redundancy and geographical distance, such as DNS and caching CDNs.

That makes a lot more sense for your setup, then.

Fail2ban bans after 1 attempt for a year.

Fail2ban yes; one year, however, is IMO a bit excessive.

Most ISP IP assignments do tend to linger - even with DHCP the same IP will be re-assigned to the same gateway router for quite a number of sequential times - but most IPs do eventually change within a few months. I personally use 3 months as a happy medium for any blacklist I run. Most dynamic IPs don’t last this long, almost all attackers will rotate through IPs pretty quickly anyhow, and if you run a public service (website, etc.), blocking for an entire year may inadvertently catch legitimate visitors.

Plus, you also have to consider the load such a large blocklist will have on your system, if most entries no longer represent legitimate threat actors, you’ll only bog down your system by keeping them in there.

Fail2ban can be configured to allow initial issues to cycle back out quicker, while blocking known repeat offenders for a much longer time period. This is useful in keeping block lists shorter and less resource-intensive to parse.

Do either of the options you mentioned provide custom nameservers? As in, the ability for ns01.yourdomain.com to resolve to your account on their DNS servers?