diff --git a/nixos/modules/services/networking/monero.nix b/nixos/modules/services/networking/monero.nix
index 1ef0c696e2c8..9b73fc9be0fa 100644
--- a/nixos/modules/services/networking/monero.nix
+++ b/nixos/modules/services/networking/monero.nix
@@ -32,6 +32,10 @@ let
         restricted-rpc=1
       ''}
 
+      ${lib.optionalString (banlist != null) ''
+        ban-list=${banlist}
+      ''}
+
       limit-rate-up=${toString limits.upload}
       limit-rate-down=${toString limits.download}
       max-concurrency=${toString limits.threads}
@@ -64,6 +68,23 @@ in
         '';
       };
 
+      banlist = lib.mkOption {
+        type = lib.types.nullOr lib.types.path;
+        default = null;
+        description = ''
+          Path to a text file containing IPs to block.
+          Useful to prevent DDoS/deanonymization attacks.
+
+          https://github.com/monero-project/meta/issues/1124
+        '';
+        example = lib.literalExpression ''
+          builtins.fetchurl {
+            url = "https://raw.githubusercontent.com/rblaine95/monero-banlist/c6eb9413ddc777e7072d822f49923df0b2a94d88/block.txt";
+            hash = "";
+          };
+        '';
+      };
+
       mining.enable = lib.mkOption {
         type = lib.types.bool;
         default = false;
@@ -225,7 +246,7 @@ in
       serviceConfig = {
         User = "monero";
         Group = "monero";
-        ExecStart = "${pkgs.monero-cli}/bin/monerod --config-file=${configFile} --non-interactive";
+        ExecStart = "${lib.getExe' pkgs.monero-cli "monerod"} --config-file=${configFile} --non-interactive";
         Restart = "always";
         SuccessExitStatus = [
           0