nix-config/modules/nixos-modules/server/fail2ban/impermanence.nix

{
  lib,
  config,
  ...
}: let
  dataFolder = "/var/lib/fail2ban";
  dataFile = "fail2ban.sqlite3";
in {
  options.services.fail2ban = {
    impermanence.enable = lib.mkOption {
      type = lib.types.bool;
      default = config.services.fail2ban.enable && config.host.impermanence.enable;
    };
  };

  config = lib.mkIf config.services.fail2ban.impermanence.enable {
    assertions = [
      {
        assertion = config.services.fail2ban.daemonSettings.Definition.dbfile == "${dataFolder}/${dataFile}";
        message = "fail2ban data file does not match persistence";
      }
    ];

    environment.persistence."/persist/system/root" = {
      directories = [
        {
          directory = dataFolder;
          user = "fail2ban";
          group = "fail2ban";
        }
      ];
    };
  };
}