{pkgs, ...}: {

  environment.systemPackages = [pkgs.fail2ban];

  environment.etc = {
    "fail2ban/filter.d/nginx-bruteforce.conf".text = ''
      [Definition]
      failregex = ^<HOST>.*(GET|POST).* (404|444|403|400) .*$
    '';
  };

  services.fail2ban = {
    enable = true;
    maxretry = 5;
    ignoreIP = [
    ];
    bantime-increment = {
      enable = true;
      multipliers = "1 2 4 8 16 32 64";
      maxtime = "168h";
    };
    jails = {
      nginx-spam.settings = {
        filter = "nginx-bruteforce";
        action = "iptables-allports";
        logpath = "/var/log/nginx/access.log";
        backend = "auto";
        findtime = 600;
        bantime = 600;
        maxretry = 10;
      };
    };
  };
}