{ config, lib, pkgs, ... }:
{
  services.fail2ban = {
    enable = true;
    ignoreIP = [
      "141.30.0.0/16"
      "141.76.0.0/16"
    ];
    bantime-increment = {
      enable = true;
    };

    jails = {
      tor = ''
        enabled = true
        bantime = 25h
        action = iptables-allports[name=fail2banTOR, protocol=all]
      '';
      dovecot = ''
        enabled = true
        # aggressive mode to add blocking for aborted connections
        filter = dovecot[mode=aggressive]
        maxretry = 3
      '';
      postfix = ''
        enabled = true
        filter = postfix[mode=aggressive]
        maxretry = 3
      '';
    };
  };

  environment.etc = {
    # dummy filter
    "fail2ban/filter.d/tor.conf".text = ''
      [Definition]
      failregex =
      ignoreregex =
    '';
  };

  systemd.services."fail2ban-tor" = {
    script = ''
      ${lib.getExe pkgs.curl} -fsSL "https://check.torproject.org/torbulkexitlist" | sed '/^#/d' | while read IP; do
        ${config.services.fail2ban.package}/bin/fail2ban-client set "tor" banip "$IP" > /dev/null
      done
    '';
  };

  systemd.timers."fail2ban-tor" = {
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnCalendar = "daily";
      Persistent = true;
      Unit = "fail2ban-tor.service";
    };
  };
}