{
  config,
  lib,
  ...
}:
with lib;
let
  cfg = config.machine;
  active = name: (elem name cfg.services);
in
mkIf (elem "fail2ban" cfg.services) {
  services.fail2ban = {
    enable = true;
    # Ban IP after 5 failures
    maxretry = 5;
    ignoreIP = [
      "127.0.0.1"
      "152.53.131.220"
    ];
    bantime = "24h"; # Ban IPs for one day on the first ban
    bantime-increment = {
      enable = true; # Enable increment of bantime after each violation
      formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
      maxtime = "672h"; # Do not ban for more than 4 weeks
      overalljails = true; # Calculate the bantime based on all the violations
    };
    jails = {
      sshd = {
        settings = {
          enabled = active "openssh";
          filter = "sshd[mode=normal]";
        };
      };
      dovecot = {
        settings = {
          enabled = active "mailserver";
          filter = "dovecot[mode=normal]";
        };
      };
      radicale = {
        settings = {
          enabled = active "radicale";
          filter = "radicale";
          banaction = "%(banaction_allports)s[name=radicale]";
          backend = "systemd";
          journalmatch = "_SYSTEMD_UNIT=radicale.service";
        };
      };
      # ''
      #   enabled = ${boolToString (active "openssh")}
      #   filter = sshd
      #   maxretry = 4
      #   action = iptables[name=SSH, port=ssh, protocol=tcp]
      # '';
    };
  };

  environment.etc."fail2ban/filter.d/radicale.conf" = {
    enable = active "radicale";
    text = ''
      [INCLUDES]
      before = common.conf

      [Definition]
      failregex = ^.*Failed\slogin\sattempt\sfrom\s.*\(forwarded for \'<HOST>\'.*\):\s.*

      [Init]
    '';
  };
  # environment.etc."fail2ban/filter.d/sshd-ddos.conf" = {
  #   enable = active "openssh";
  #   text = ''
  #     [Definition]
  #     failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
  #     ignoreregex =
  #   '';
  # };
  #
  # environment.etc."fail2ban/filter.d/postfix-sasl.conf" = {
  #   enable = active "mailserver";
  #   text = ''
  #     # Fail2Ban filter for postfix authentication failures
  #     [INCLUDES]
  #     before = common.conf
  #     [Definition]
  #     daemon = postfix/smtpd
  #     failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
  #   '';
  # };
  #
  # environment.etc."fail2ban/filter.d/postfix-ddos.conf" = {
  #   enable = active "mailserver";
  #   text = ''
  #     [Definition]
  #     failregex = lost connection after EHLO from \S+\[<HOST>\]
  #   '';
  # };
  #
  # environment.etc."fail2ban/filter.d/nginx-req-limit.conf" = {
  #   enable = active "nginx";
  #   text = ''
  #     [Definition]
  #     failregex = limiting requests, excess:.* by zone.*client: <HOST>
  #   '';
  # };

  # Limit stack size to reduce memory usage
  systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
}