{
  lib,
  config,
  self,
  ...
}: let
  inherit (lib) mkIf;
in {
  config = mkIf config.network {
    # sshd
    services.openssh = {
      enable = true;
      ports = [22];
      settings = {
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
        UseDns = true;
        X11Forwarding = false;
        PermitRootLogin = "no";
      };
    };

    # allow ssh port
    networking.firewall.allowedTCPPorts = [22];

    # ban evil
    services.fail2ban = {
      enable = true;
      ignoreIP = [
        # freyanet
        "10.0.0.0/14"
      ];
    };

    # add authorized keys
    users.users.${config.user} = {
      openssh.authorizedKeys.keyFiles = self.lib.sshKeys;
    };
  };
}