{
  lib,
  config,
  pkgs,
  ...
}: {
  config = lib.mkIf (config.services.fail2ban.enable && config.services.immich.enable) {
    environment.etc = {
      "fail2ban/filter.d/immich.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
        [Definition]
        failregex = immich-server.*Failed login attempt for user.+from ip address\s?<ADDR>
        journalmatch = CONTAINER_TAG=immich-server
      '');
    };

    services.fail2ban = {
      jails = {
        immich-iptables.settings = {
          enabled = true;
          filter = "immich";
          backend = "systemd";
        };
      };
    };
  };
}