{
  config,
  lib,
  myData,
  ...
}: {
  options.mj.services.sshguard = with lib.types; {
    enable = lib.mkOption {
      type = bool;
      default = false;
    };
  };

  config = lib.mkIf config.mj.services.sshguard.enable {
    services.sshguard = {
      enable = true;
      blocktime = 900;
      whitelist =
        ["192.168.0.0/16" myData.subnets.tailscale.cidr]
        ++ (lib.catAttrs "publicIP" (lib.attrValues myData.hosts));
    };
  };
}