{
  config,
  lib,
  namespace,
  ...
}:
let
  inherit (lib.${namespace}) mkOpt;
  name = "crowdsec";
  cfg = config.${namespace}.services.${name};

  crowdsecConfig = lib.${namespace}.mkModule {
    inherit config name;
    description = "crowdsec";
    options = with lib; {
      apiKey = mkOpt types.str "" "API key for crowdsec bouncer";
    };
    moduleConfig = {
      services = {
        crowdsec = {
          enable = true;
          openFirewall = cfg.openFirewall;
          hub = {
            appSecConfigs = [
              "crowdsecurity/appsec-default"
            ];
            appSecRules = [
              "crowdsecurity/base-config"
            ];
            collections = [
              "crowdsecurity/http-cve"
              "crowdsecurity/http-dos"
              "crowdsecurity/linux"
              "crowdsecurity/nextcloud"
              "crowdsecurity/pgsql"
              "crowdsecurity/smb"
              "crowdsecurity/sshd"
              "crowdsecurity/traefik"
              "firix/authentik"
            ];
            parsers = [
              "crowdsecurity/actual-budget-whitelist"
              "crowdsecurity/jellyfin-whitelist"
              "crowdsecurity/jellyseerr-whitelist"
              "crowdsecurity/nextcloud-logs"
              "crowdsecurity/nextcloud-whitelist"
              "crowdsecurity/pgsql-logs"
              "crowdsecurity/smb-logs"
              "crowdsecurity/sshd-logs"
              "crowdsecurity/sshd-success-logs"
              "crowdsecurity/syslog-logs"
            ];
            postOverflows = [
              "crowdsecurity/auditd-nix-wrappers-whitelist-process"
            ];
            scenarios = [
              "crowdsecurity/ssh-bf"
            ];
          };
          localConfig = {
            acquisitions = [
              {
                journalctl_filter = [
                  "_SYSTEMD_UNIT=authentik.service"
                ];
                labels = {
                  type = "syslog";
                };
                source = "journalctl";
              }
              {
                journalctl_filter = [
                  "_SYSTEMD_UNIT=postgresql.service"
                ];
                labels = {
                  type = "syslog";
                };
                source = "journalctl";
              }
              {
                journalctl_filter = [
                  "_SYSTEMD_UNIT=smbd.service"
                ];
                labels = {
                  type = "syslog";
                };
                source = "journalctl";
              }
              {
                journalctl_filter = [
                  "_SYSTEMD_UNIT=sshd.service"
                ];
                labels = {
                  type = "syslog";
                };
                source = "journalctl";
              }
              {
                journalctl_filter = [
                  "_SYSTEMD_UNIT=traefik.service"
                ];
                labels = {
                  type = "syslog";
                };
                source = "journalctl";
              }
            ];
          };
          settings = {
            general.api = {
              server = {
                enable = true;
                listen_uri = "${cfg.listenAddress}:${toString cfg.port}";
              };
              client = {
                credentials_path = lib.mkForce "${cfg.configDir}/crowdsec/client.yaml";
              };
            };
            capi.credentialsFile = lib.mkDefault "${cfg.configDir}/crowdsec/capi.yaml";
          };
        };
      };
    };
  };
in
{
  imports = [ crowdsecConfig ];
}