{
  config,
  pkgs,
  lib,
  ...
}:
let
  sshLookup = pkgs.writeShellScriptBin "ssh-lookup-root-pubs" ''
    #!/bin/sh
    cat /root/.ssh/*.pub 2>/dev/null
  '';
in
{
  services.openssh = {
    enable = true;
    settings.UseDns = true;
    settings.PermitRootLogin = "prohibit-password";
    startWhenNeeded = true;
    ports = [ 6969 ];
    openFirewall = true;
    #settings.Ciphers = [
    #  "chacha20-poly1305@openssh.com"
    #  "aes256-gcm@openssh.com"
    #  "aes128-gcm@openssh.com"
    #  "aes256-ctr"
    #  # remove some weaker ciphers
    #];
    authorizedKeysCommand = "${sshLookup}";
  };
  services.endlessh-go = {
    enable = true;
    port = 22;
    openFirewall = true;
  };
  services.sshguard.enable = true; # protection against brute force attacks
}