{
  config,
  lib,
  namespace,
  ...
}:
let
  cfg = config.${namespace}.services.crowdsec;
in
{
  imports = [ ./options.nix ];
  config = lib.mkIf cfg.enable {

    services = {
      crowdsec = {
        enable = true;
        openFirewall = true;
        hub = {
          appSecConfigs = [
            "crowdsecurity/appsec-default"
          ];
          appSecRules = [
            "crowdsecurity/base-config"
          ];
          collections = [
            "crowdsecurity/linux"
            "crowdsecurity/traefik"
            "firix/authentik"
          ];
          parsers = [
            "crowdsecurity/sshd-logs"
          ];
          postOverflows = [
            "crowdsecurity/auditd-nix-wrappers-whitelist-process"
          ];
          scenarios = [
            "crowdsecurity/ssh-bf"
          ];
        };
        localConfig = {
          acquisitions = [
            {
              journalctl_filter = [
                "_SYSTEMD_UNIT=sshd.service"
              ];
              labels = {
                type = "syslog";
              };
              source = "journalctl";
            }
            {
              journalctl_filter = [
                "_SYSTEMD_UNIT=traefik.service"
              ];
              labels = {
                type = "syslog";
              };
              source = "journalctl";
            }
            {
              journalctl_filter = [
                "_SYSTEMD_UNIT=authentik.service"
              ];
              labels = {
                type = "syslog";
              };
              source = "journalctl";
            }
          ];
        };
        settings = {
          # general.api.server.enable = true;
          capi.credentialsFile = cfg.apiKey;
        };
      };
    };
  };
}