{
  pkgs,
  config,
  lib,
  ...
}:
{
  security.crowdsec = {
    enable = true;

    parserWhitelist = [
      "10.45.249.2"
    ];

    extraConfig."postoverflows/s01-whitelist/matrix-whitelist.yaml" = {
      name = "tetsumaki/matrix";
      description = "custom matrix whitelist";
      whitelist = {
        reason = "whitelist false positive for matrix";
        expression = [
          "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
          "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
        ];
      };
    };

    extraGroups = [
      "systemd-journal"
      "nginx"
    ];

    acquisitions = [
      {
        source = "journalctl";
        labels.type = "syslog";
        journalctl_filter = [
          "SYSLOG_IDENTIFIER=Nextcloud"
        ];
      }

      {
        source = "journalctl";
        labels.type = "syslog";
        journalctl_filter = [
          "SYSLOG_IDENTIFIER=sshd-session"
        ];
      }

      {
        labels.type = "nginx";
        filenames =
          [
            "/var/log/nginx/*.log"
          ]
          ++ lib.mapAttrsToList (
            vHost: _: "/var/log/nginx/${vHost}/access.log"
          ) config.services.nginx.virtualHosts;
      }
    ];

    remediationComponents.firewallBouncer = {
      enable = true;
      settings.prometheus = {
        enabled = true;
        listen_addr = "127.0.0.1";
        listen_port = "60601";
      };
    };
  };
}