{ pkgs, ... }:
{
  environment.etc = {
    "fail2ban/filter.d/nginx-bruteforce.conf".text = ''
      [Definition]
      failregex = ^<HOST>.*GET.*(matrix/server|\.php|admin|wp\-).* HTTP/\d.\d\" 404.*$
    '';
  };

  services.fail2ban = {
    enable = true;

    ignoreIP = [
      "100.64.0.0/24" # tailnet
    ];

    maxretry = 3;
    bantime = "2h";

    extraPackages = [ pkgs.ipset ];
    banaction = "iptables-ipset-proto6-allports";
  };
}