{ pkgs, lib, ... }:
{
  services.fail2ban = {
    enable = false;
    banaction = "nftables-multiport";
    banaction-allports = lib.mkDefault "nftables-allport";

    extraPackages = with pkgs; [
      nftables
      ipset
    ];

    ignoreIP = [
      "10.0.0.0/8"
      "172.16.0.0/12"
      "100.64.0.0/16"
      "192.168.0.0/16"
    ];
  };
}