{
  pkgs,
  lib,
  config,
  ...
}:
let
  inherit (lib) mkIf;
  cfg = config.services.fail2ban;
in
{
  config = mkIf cfg.enable {
    services.fail2ban = {
      extraPackages = with pkgs; [ nftables ];
      maxretry = 5;
      bantime = "10m";
      ignoreIP = [
        "100.64.0.0/16" # Tailscale
      ];

      banaction = "nftables-multiport";
      banaction-allports = "nftables-allports";

      bantime-increment = {
        enable = true;
        multipliers = "2 8 32 128 512 2048";
        maxtime = "2400h"; # 100 days
        overalljails = true; # Calculate the bantime based on all the violations
      };
    };
  };
}