{ config, pkgs, ... }: {
  services.fail2ban = {
    enable = true;
    maxretry = 10;
    ignoreIP = [ "127.0.0.0/8" "10.0.0.0/8" "192.168.0.0/16" "78.94.116.222" ];
    bantime-increment.enable = true;

    jails = {
      nginx-bad-request = ''
        enabled  = true
        action   = iptables[type=allports]
      '';
      grafana = ''
        enabled  = true
        action   = iptables[type=allports]
      '';
    };
  };

  # Workaround for nginx-bad-request not being included
  environment.etc."fail2ban/filter.d/nginx-bad-request.conf".source =
    pkgs.fetchurl {
      url =
        "https://raw.githubusercontent.com/fail2ban/fail2ban/master/config/filter.d/nginx-bad-request.conf";
      sha256 = "sha256-fCxNQpN+IAY+2kfeOmunmtipxTjS0gHauTBIKiCtjDY=";
    };
}