{
  lib,
  pkgs,
  config,
  ...
}: {
  config = lib.mkIf config.services.fail2ban.enable {
    environment.etc = {
      "fail2ban/filter.d/nginx.local".text = lib.mkIf config.services.nginx.enable (
        pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
          [Definition]
          failregex = "limiting requests, excess:.* by zone.*client: <HOST>"
        '')
      );
    };

    services.fail2ban = {
      maxretry = 5;
      ignoreIP = [
        # Whitelist local networks
        "10.0.0.0/8"
        "172.16.0.0/12"
        "192.168.0.0/16"

        # tail scale tailnet
        "100.64.0.0/10"
        "fd7a:115c:a1e0::/48"
      ];
      bantime = "24h"; # Ban IPs for one day on the first ban
      bantime-increment = {
        enable = true; # Enable increment of bantime after each violation
        formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
        maxtime = "168h"; # Do not ban for more than 1 week
        overalljails = true; # Calculate the ban time based on all the violations
      };
      jails = {
        nginx-iptables.settings = lib.mkIf config.services.nginx.enable {
          enabled = true;
          filter = "nginx";
          action = ''iptables-multiport[name=HTTP, port="http,https"]'';
          backend = "auto";
          findtime = 600;
          bantime = 600;
          maxretry = 5;
        };
        # TODO; figure out if there is any fail2ban things we can do on searx
        # searx-iptables.settings = lib.mkIf config.services.searx.enable {};
      };
    };
  };
}