{ ... }:
{
  flake.modules.nixos.fail2ban = 
  { pkgs, ... }:
  {
    services.fail2ban = {
      enable = true;
      bantime = "1h";
      maxretry = 5;
      ignoreIP = [ "192.168.0.0/24" ];  # your whole LAN — whitelisted
    };
  };
}