{
  # Enable SSH
  services = {
    openssh = {
      enable = true;
      settings = {
        PermitRootLogin = "no";
        PrintLastLog = "no";
        PasswordAuthentication = false;
      };
    };

    # Block nefarious SSH connections
    fail2ban = {
      enable = true;
      maxretry = 5;
      bantime = "5m";
      ignoreIP = [ "10.0.0.0/24" ];
    };
  };
}