diff --git a/modules/services/indexers/default.nix b/modules/services/indexers/default.nix
index 66f1604..fb06a0b 100644
--- a/modules/services/indexers/default.nix
+++ b/modules/services/indexers/default.nix
@@ -60,6 +60,22 @@ in
           port = prowlarrPort;
         }
       ];
+
+      services.fail2ban.jails = {
+        prowlarr = ''
+          enabled = true
+          filter = prowlarr
+          action = iptables-allports
+        '';
+      };
+
+      environment.etc = {
+        "fail2ban/filter.d/prowlarr.conf".text = ''
+          [Definition]
+          failregex = ^.*\|Warn\|Auth\|Auth-Failure ip <HOST> username .*$
+          journalmatch = _SYSTEMD_UNIT=prowlarr.service
+        '';
+      };
     })
   ];
 }
diff --git a/modules/services/pirate/default.nix b/modules/services/pirate/default.nix
index 42dd12b..7c341e7 100644
--- a/modules/services/pirate/default.nix
+++ b/modules/services/pirate/default.nix
@@ -13,26 +13,65 @@ let
     sonarr = 8989;
   };
 
-  managers = with lib.attrsets;
-    (mapAttrs
-      (_: _: {
-        enable = true;
-        group = "media";
-      })
-      ports);
+  mkService = service: {
+    services.${service} = {
+      enable = true;
+      group = "media";
+    };
+  };
 
-  redirections = lib.flip lib.mapAttrsToList ports
-    (subdomain: port: { inherit subdomain port; });
+  mkRedirection = service: {
+    my.services.nginx.virtualHosts = [
+      {
+        subdomain = service;
+        port = ports.${service};
+      }
+    ];
+  };
+
+  mkFail2Ban = service: {
+    services.fail2ban.jails = {
+      ${service} = ''
+        enabled = true
+        filter = ${service}
+        action = iptables-allports
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/${service}.conf".text = ''
+        [Definition]
+        failregex = ^.*\|Warn\|Auth\|Auth-Failure ip <HOST> username .*$
+        journalmatch = _SYSTEMD_UNIT=${service}.service
+      '';
+    };
+  };
+
+  mkFullConfig = service: lib.mkMerge [
+    (mkService service)
+    (mkRedirection service)
+  ];
 in
 {
   options.my.services.pirate = {
     enable = lib.mkEnableOption "Media automation";
   };
 
-  config = lib.mkIf cfg.enable {
-    services = managers;
-    my.services.nginx.virtualHosts = redirections;
-    # Set-up media group
-    users.groups.media = { };
-  };
+  config = lib.mkIf cfg.enable (lib.mkMerge [
+    {
+      # Set-up media group
+      users.groups.media = { };
+    }
+    # Bazarr does not log authentication failures...
+    (mkFullConfig "bazarr")
+    # Lidarr for music
+    (mkFullConfig "lidarr")
+    (mkFail2Ban "lidarr")
+    # Radarr for movies
+    (mkFullConfig "radarr")
+    (mkFail2Ban "radarr")
+    # Sonarr for shows
+    (mkFullConfig "sonarr")
+    (mkFail2Ban "sonarr")
+  ]);
 }