{ pkgs, ... }:
{
  config = {
    services.fail2ban = {
      enable = true;

      extraPackages = with pkgs; [ nftables ];
      maxretry = 5;
      bantime = "10m";
      ignoreIP = [
        "100.64.0.0/16" # Tailscale
      ];

      banaction = "nftables-multiport";
      banaction-allports = "nftables-allports";

      bantime-increment = {
        enable = true;
        multipliers = "2 8 32 128 512 2048";
        maxtime = "2400h"; # 100 days
        overalljails = true; # Calculate the bantime based on all the violations
      };
    };
  };
}