diff --git a/services/fail2ban.nix b/services/fail2ban.nix
new file mode 100644
index 00000000..20551c16
--- /dev/null
+++ b/services/fail2ban.nix
@@ -0,0 +1,37 @@
+{ config, pkgs, ... }:
+
+{
+  services.fail2ban = {
+    enable = true;
+    jails = {
+      DEFAULT = ''
+        bantime  = 1d
+        blocktype = DROP
+        logpath  = /var/log/auth.log
+      '';
+      ssh = ''
+        enabled = true
+        filter = sshd
+        maxretry = 4
+        action = iptables[name=SSH, port=ssh, protocol=tcp]
+      '';
+      sshd-ddos = ''
+        enabled  = true
+        filter = sshd-ddos
+        maxretry = 4
+        action   = iptables[name=ssh, port=ssh, protocol=tcp]
+      '';
+    };
+  };
+
+  environment.etc."fail2ban/filter.d/sshd-ddos.conf" = {
+    enable = true;
+    text = ''
+      [Definition]
+      failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
+      ignoreregex =
+    '';
+  };
+
+  systemd.services.fail2ban.serviceConfig.LimitSTACK = 128 * 1024;
+}
diff --git a/services/postgres.nix b/services/postgres.nix
new file mode 100644
index 00000000..b29d8d2a
--- /dev/null
+++ b/services/postgres.nix
@@ -0,0 +1,5 @@
+{ config, pkgs, ... }:
+
+{
+  services.postgresql.enable = true;
+}