{ config, pkgs, ... }:
{
    services.fail2ban = {
    enable = true;
    package = pkgs.fail2ban;
    packageFirewall = pkgs.nftables;
    banaction = "nftables-multiport";
    banaction-allports = "nftables-allport";
    bantime-increment.enable = true;
#    ignoreIP = [ "10.0.0.0/24" "10.3.0.0/24" ];
    daemonConfig = ''
      [Definition]
      loglevel     = INFO
      logtarget    = SYSLOG
      socket       = /run/fail2ban/fail2ban.sock
      pidfile      = /run/fail2ban/fail2ban.pid
      dbfile       = /var/lib/fail2ban/fail2ban.sqlite3
    '';
    jails = {
      sshd = ''
        maxretry = 3
        mode     = aggressive
      '';
    };
  };
}