{ pkgs, ... }:
{
  services.fail2ban = {
    enable = true;
    extraPackages = [ pkgs.ipset ];
    banaction = "iptables-ipset-proto6-allports";
    bantime-increment.enable = true;

    jails = {
      nginx-botsearch = ''
        enabled = true
        logpath = /var/log/nginx/access.log
      '';
    };

    ignoreIP = [
      "127.0.0.0/8"
      "10.0.0.0/8"
      "172.16.0.0/12"
      "192.168.0.0/16"
    ];
  };

  # Allow metrics services to connect to the socket as well
  users.groups.fail2ban = { };
  systemd.services.fail2ban.serviceConfig = {
    ExecStartPost =
      "+"
      + (pkgs.writeShellScript "fail2ban-post-start" ''
        while ! [ -S /var/run/fail2ban/fail2ban.sock ]; do
            sleep 1
        done

        while ! ${pkgs.netcat}/bin/nc -zU /var/run/fail2ban/fail2ban.sock; do
            sleep 1
        done

        ${pkgs.coreutils}/bin/chown root:fail2ban /var/run/fail2ban /var/run/fail2ban/fail2ban.sock
        ${pkgs.coreutils}/bin/chmod 660 /var/run/fail2ban/fail2ban.sock
        ${pkgs.coreutils}/bin/chmod 710 /var/run/fail2ban
      '');
  };
}