diff --git a/fail2ban.nix b/fail2ban.nix
new file mode 100644
index 0000000..80da631
--- /dev/null
+++ b/fail2ban.nix
@@ -0,0 +1,19 @@
+{ ... }: {
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    ignoreIP = [
+      # Whitelist some subnets
+      "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
+      "matrix.org"
+      "app.element.io" # don't ratelimit matrix users
+    ];
+    bantime = "1h"; # Ban IPs for 1h at first.
+    bantime-increment = {
+      enable = true; # Enable increment of bantime after each violation
+      multipliers = "1 2 4 8 16 32 64 128 256";
+      maxtime = "168h"; # Do not ban for more than 1 week
+      overalljails = true; # Calculate the bantime based on all the violations
+    };
+  };
+}
diff --git a/flake.nix b/flake.nix
index 48edca7..19248f6 100644
--- a/flake.nix
+++ b/flake.nix
@@ -29,6 +29,7 @@
           ./puffer.nix
           ./gitea.nix
           ./letsencrypt.nix
+          ./fail2ban.nix
           ./email.nix
           agenix.nixosModules.default
           nixos-mailserver.nixosModules.default