{
  lib,
  pkgs,
  config,
  ...
}: {
  config = lib.mkIf (config.services.jellyfin.enable && config.services.fail2ban.enable) {
    environment.etc = {
      "fail2ban/filter.d/jellyfin.local".text = (
        pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
          [Definition]
          failregex = "^.*Authentication request for .* has been denied \\\\\\(IP: \\\"<ADDR>\\\"\\\\\\)\\\\\\."
        '')
      );
    };

    services.fail2ban = {
      jails = {
        jellyfin-iptables.settings = {
          enabled = true;
          filter = "jellyfin";
          action = ''iptables-multiport[name=HTTP, port="http,https"]'';
          logpath = "${config.services.jellyfin.dataDir}/log/*.log";
          backend = "auto";
          findtime = 600;
          bantime = 600;
          maxretry = 5;
        };
      };
    };
  };
}