{ outputs, pkgs, ... }:
{
  services = {
    crowdsec = let
      yaml = (pkgs.formats.yaml {}).generate;
      acquisitions_file = yaml "acquisitions.yaml" {
        source = "journalctl";
        journalctl_filter = ["_SYSTEMD_UNIT=sshd.service"];
        labels.type = "syslog";
      };
    in  {
      enable = true;
      enrollKeyFile = "/media/nas/ssd/nix-app-data/crowdsec/enroll.key";
      settings = {
        crowdsec_service.acquisition_path = acquisitions_file;
        api.server = {
          listen_uri = "0.0.0.0:9898";
        };
      };
    };

    crowdsec-firewall-bouncer = {
      enable = true;
      settings = {
        api_key = "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE";
        api_url = "http://10.0.1.18:9898";
      };
    };
  };

  systemd.services.crowdsec.serviceConfig = {
    ExecStartPre = let
      script = pkgs.writeScriptBin "register-bouncer" ''
        #!${pkgs.runtimeShell}
        set -eu
        set -o pipefail

        if ! cscli bouncers list | grep -q "nas-bouncer"; then
          cscli bouncers add "nas-bouncer" --key "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE"
        fi
      '';
    in ["${script}/bin/register-bouncer"];
  };
}