{
  config,
  lib,
  pkgs,
  ...
}: {
  config = lib.mkIf (config.services.paperless.enable && config.services.fail2ban.enable) {
    environment.etc = {
      "fail2ban/filter.d/paperless.local".text = (
        pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
          [Definition]
          failregex = Login failed for user `.*` from (?:IP|private IP) `<HOST>`\.$
          ignoreregex =

        '')
      );
    };

    services.fail2ban = {
      jails = {
        paperless.settings = {
          enabled = true;
          filter = "paperless";
          action = ''iptables-multiport[name=HTTP, port="http,https"]'';
          logpath = "${config.services.paperless.dataDir}/log/*.log";
          backend = "auto";
          findtime = 600;
          bantime = 600;
          maxretry = 5;
        };
      };
    };
  };
}