{
  config,
  lib,
  ...
}: {
  # ssh config
  home-manager.users.${config.user} = {
    programs.ssh = {
      enable = true;
      extraConfig = lib.fileContents ./config;
    };
  };

  # sshd
  services.openssh = {
    enable = true;
    ports = [22];
    settings = {
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
      UseDns = true;
      X11Forwarding = false;
      PermitRootLogin = "no";
    };
  };

  # allow ssh port
  networking.firewall.allowedTCPPorts = [22];

  # ban evil
  services.fail2ban = {
    enable = true;
    ignoreIP = [
      # freyanet
      "10.0.0.0/14"
    ];
  };

  # add authorized keys
  users.users.${config.user} = {
    openssh.authorizedKeys.keyFiles = [
      ../../files/keys/ssh.pub
    ];
  };
}