{
  lib,
  config,
  pkgs,
  ...
}: {
  options.services.immich = {
    fail2ban = {
      enable = lib.mkOption {
        type = lib.types.bool;
        default = config.services.fail2ban.enable && config.services.immich.enable;
      };
    };
  };

  config = lib.mkIf config.services.immich.fail2ban.enable {
    environment.etc = {
      "fail2ban/filter.d/immich.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
        [Definition]
        failregex = immich-server.*Failed login attempt for user.+from ip address\s?<ADDR>
        journalmatch = CONTAINER_TAG=immich-server
      '');
    };

    services.fail2ban = {
      jails = {
        immich-iptables.settings = {
          enabled = true;
          filter = "immich";
          backend = "systemd";
        };
      };
    };
  };
}