{ config, pkgs, ... }:

{
  services.fail2ban = {
    enable = true;
    package = pkgs.fail2ban;
    packageFirewall = pkgs.nftables;
    bantime-increment.enable = true;
    ignoreIP = [
      config.architect.networks.lan.net
      config.architect.networks.tailscale.net
    ];
  };
}