{ ... }:
{
  services.openssh = {
    enable = true;
    permitRootLogin = "no";
    passwordAuthentication = false;
    challengeResponseAuthentication = false;
    hostKeys = [ { "path" = "/etc/ssh/ssh_host_ed25519_key"; "type" = "ed25519"; } ];
    kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
    macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
  };

  programs.ssh.knownHosts = {
    despondos = {
      hostNames = [ "despondos.nao.sh" ];
      publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
    };
  };

  services.sshguard = {
    enable = true;
    blocktime = 300;
  };
}