{
  lib,
  config,
  ...
}: let
  dataFolder = "/var/lib/fail2ban";
  dataFile = "fail2ban.sqlite3";
in {
  options.services.fail2ban.impermanence.enable = lib.mkOption {
    type = lib.types.bool;
    default = config.services.fail2ban.enable && config.storage.impermanence.enable;
  };

  config = lib.mkIf config.services.fail2ban.enable (lib.mkMerge [
    (lib.mkIf config.storage.zfs.enable (lib.mkMerge [
      {
        assertions = [
          {
            assertion = config.services.fail2ban.daemonSettings.Definition.dbfile == "${dataFolder}/${dataFile}";
            message = "fail2ban data file does not match persistence";
          }
        ];
      }
      (lib.mkIf (!config.services.fail2ban.impermanence.enable) {
        # TODO: placeholder to configure a unique dataset for this service
      })
      (lib.mkIf config.services.fail2ban.impermanence.enable {
        storage.impermanence.datasets."persist/replicate/system/root" = {
          directories."${dataFolder}" = {
            owner.name = "fail2ban";
            group.name = "fail2ban";
          };
        };
      })
    ]))
  ]);
}