{
  networking.firewall.enable = true;
  services = {
    fail2ban.enable = true;
    openssh = {
      enable = true;
      ports = [1322];
      settings = {
        PasswordAuthentication = false;
        PermitRootLogin = "no";
        StreamLocalBindUnlink = "yes";
      };
    };
  };
}