{
  pkgs,
  lib,
  config,
  ...
}: {
  services.fail2ban = {
    enable = true;

    bantime = "24h";
    bantime-increment = {
      enable = true;
      formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(banFactor)";
      maxtime = "6969h";
      overalljails = true;
    };

    jails = {
      dovecot = lib.mkIf config.services.dovecot2.enable {
        settings = {
          # block IPs which failed to log-in
          # aggressive mode add blocking for aborted connections
          filter = "dovecot[mode=aggressive]";
          maxretry = 3;
        };
      };

      jellyfin = lib.mkIf config.services.jellyfin.enable {
        settings = {
          filter = "jellyfin";
          backend = "systemd";
          enabled = true;
          port = "80,443";
          maxretry = 8;
          bantime = "24h";
          findtime = "30m";
          journalmatch = "_SYSTEMD_UNIT=jellyfin.service";
        };
      };

      forgejo = lib.mkIf config.services.forgejo.enable {
        settings = {
          filter = "forgejo";
          backend = "systemd";
          enabled = true;
          port = "80,443";
          maxretry = 8;
          bantime = "24h";
          findtime = "30m";
          journalmatch = "_SYSTEMD_UNIT=forgejo.service";
        };
      };

      sonarr = lib.mkIf (config.microvm.vms."auto-torrent" != null) {
        settings = {
          filter = "arr";
          backend = "auto";
          enabled = true;
          port = "80,443";
          maxretry = 8;
          bantime = "24h";
          findtime = "30m";
          logpath = "/var/lib/auto-torrent/sonarr/logs/*.txt";
        };
      };
      radarr = lib.mkIf (config.microvm.vms."auto-torrent" != null) {
        settings = {
          filter = "arr";
          backend = "auto";
          enabled = true;
          port = "80,443";
          maxretry = 8;
          bantime = "24h";
          findtime = "30m";
          logpath = "/var/lib/auto-torrent/radarr/logs/*.txt";
        };
      };
      vaultwarden = lib.mkIf config.services.vaultwarden.enable {
        settings = {
          filter = "vaultwarden";
          backend = "systemd";
          enabled = true;
          port = "80,443";
          maxretry = 8;
          bantime = "24h";
          findtime = "30m";
          journalmatch = "_SYSTEMD_UNIT=vaultwarden.service";
        };
      };
    };
  };

  environment.etc = {
    # Jellyfin
    "fail2ban/filter.d/jellyfin.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
      [Definition]
      failregex = ^.*Authentication request for .* has been denied \(IP: <ADDR>\)\.
    '');
    # Forgejo
    "fail2ban/filter.d/forgejo.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
      [Definition]
      failregex = ^.*Failed authentication attempt for .* from <ADDR>.*$
    '');
    # *arr
    "fail2ban/filter.d/arr.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
      [Definition]
      failregex = ^.*Auth-Failure ip <ADDR> username.*$
    '');
    # Vaultwarden
    "fail2ban/filter.d/vaultwarden.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
      [Definition]
      failregex = ^.*Username or password is incorrect. Try again. IP: <ADDR>\. Username: .*$
    '');
    # Defines a filter that detects URL probing by reading the Nginx access log
    "fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
      [Definition]
      failregex = ^<HOST>.*(GET /(wp-|admin|boaform|phpmyadmin|\.env|\.git)|\.(dll|so|cfm|asp)|(\?|&)(=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000|=PHPE9568F36-D428-11d2-A769-00AA001ACF42|=PHPE9568F35-D428-11d2-A769-00AA001ACF42|=PHPE9568F34-D428-11d2-A769-00AA001ACF42)|\\x[0-9a-zA-Z]{2})
    '');
  };
}