{
  services.fail2ban = {
    enable = true;
    maxretry = 5;
    ignoreIP = [
      "4349:3909:beef::/48"
      "100.64.0.0/10"
      "127.0.0.0/8"
      "10.0.0.0/8"
      "172.16.0.0/12"
      "192.168.0.0/16"
    ];
    jails = {
      postfix = {
        filter = "postfix";
        settings = {
          action = "nftables";
          port = "143,993";
        };
      };
      dovecot = {
        filter = "dovecot";
        settings = {
          action = "nftables";
          port = "25,465,587";
        };
      };
      # I don't use SSHd right now, but if I do, re-enable this.
      # sshd = {
      #   filter = "sshd";
      #   settings = {
      #     action = "nftables";
      #     port = "22";
      #   };
      # };
    };
  };
}