diff --git a/nix/modules/nixos/services/nginx/default.nix b/nix/modules/nixos/services/nginx/default.nix
index ff034c6..77719e5 100644
--- a/nix/modules/nixos/services/nginx/default.nix
+++ b/nix/modules/nixos/services/nginx/default.nix
@@ -74,6 +74,11 @@ let
         description = "Extra configuration to inject into the generated nginx config";
         default = '''';
       };
+      rateLimit.enable = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Enable rate limiting";
+      };
       locations = lib.mkOption {
         type = lib.types.attrsOf (
           lib.khscodes.mkSubmodule {
@@ -149,6 +154,16 @@ in
           maxretry = 2;
         };
       };
+      nginx-req-limit = {
+        settings = {
+          filter = "nginx-limit-req";
+          action = ''${config.services.fail2ban.banaction}[name=HTTP, port="http,https"]'';
+          logpath = "/var/log/nginx/access.log";
+          backend = "auto";
+          findtime = 600;
+          maxretry = 3;
+        };
+      };
     };
     khscodes.networking.aliases = lib.attrsets.attrNames cfg.virtualHosts;
     khscodes.security.acme.enable = true;
@@ -177,6 +192,7 @@ in
       recommendedZstdSettings = lib.mkDefault true;
       recommendedProxySettings = lib.mkDefault true;
       appendHttpConfig = ''
+        limit_req_zone $binary_remote_addr zone=nobots:10m rate=50r/s;
         map $scheme $hsts_header {
           https "max-age=63072000; preload";
         }
@@ -254,8 +270,12 @@ in
               ''
             else
               '''';
+          reqLimit = lib.strings.optionalString value.rateLimit.enable ''
+            limit_req zone=nobots burst=5 nodelay;
+          '';
           extraConfig = ''
             ${mtls}
+            ${reqLimit}
             ${value.extraConfig}
           '';
         in