{ config, lib, pkgs, ... }:

{
  # Enable the OpenSSH daemon.
  services.openssh = {
    enable = true;
    allowSFTP = true;
    openFirewall = false;
    authorizedKeysInHomedir = false;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
      GatewayPorts = "no";
    };
  };

  # add ssh key
  users.users.nico.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNq0xyfsucfXiFnLsUC/rz0FDw8JrPtUdFqmKLL0HBM"
  ];

  # enable ssh in the firewall
  networking.firewall.allowedTCPPorts = [ 22 ];

  # enable fail2ban
  services.fail2ban.enable = true;
}