{ config, lib, pkgs, ... }:

{
  # Enable the OpenSSH daemon.
  services.openssh = {
    enable = true;
    allowSFTP = true;
    openFirewall = false;
    authorizedKeysInHomedir = false;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
      GatewayPorts = "no";
    };
  };

  # enable ssh in the firewall
  networking.firewall.allowedTCPPorts = [ 22 ];

  # enable fail2ban
  services.fail2ban.enable = true;
}