{
  config,
  lib,
  this,
  ...
}:
with lib;
let
  cfg = config.nixfiles.modules.fail2ban;
in
{
  options.nixfiles.modules.fail2ban.enable = mkEnableOption "fail2ban";

  config = mkIf cfg.enable {
    ark.directories = [ "/var/lib/fail2ban" ];

    services.fail2ban = {
      enable = true;

      bantime-increment = {
        enable = true;
        maxtime = "24h";
        rndtime = "8m";
      };

      ignoreIP = optionals (hasAttr "wireguard" this) (
        with config.nixfiles.modules.wireguard;
        [
          ipv4.subnet
          ipv6.subnet
        ]
      );

      jails.DEFAULT.settings.blocktype = "DROP";
    };
  };
}