{
  config,
  pkgs,
  ...
}: let
  authorizedKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEo4R+6J3h6Ix3xWpOMdU7Es1/YxFchHw0c+kcCOJxFb cyryl@foureighty"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDa2qAxpUEFeBYl2wlzDa/x37TAAy5pOBHv50OXUrV5 cyryl@thinky"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBKc/pKrkWLaq6IdfcFqBV3PnPwhTEUh2rOP5g6I5OBd cyryl@airy"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPbJNY48F1Vn11aDX5hJSj4oS2NIKEH2busqoyQTLIvk cyryl@bolty"
  ];
in {
  imports = [./security.nix];
  security.acme.defaults.email = "admin@cyplo.dev";
  security.acme.acceptTerms = true;

  services.fail2ban.enable = true;

  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "prohibit-password";
      PasswordAuthentication = false;
    };
  };

  programs.ssh.extraConfig = ''
    Host cupsnet.cyplo.dev
        HostName cupsnet.cyplo.dev
        Port 2222
    Host cupsnet cupsnet.raptor-carp.ts.net
        HostName cupsnet.raptor-carp.ts.net
        Port 2222
    StrictHostKeyChecking=accept-new
  '';
  users.extraUsers.root.openssh.authorizedKeys.keys = authorizedKeys;
  users.users.nix-builder = {
    isNormalUser = true;
    openssh.authorizedKeys.keys = authorizedKeys;
  };

  users.users.cyryl = {
    isNormalUser = true;
    openssh.authorizedKeys.keys = authorizedKeys;
  };

  nix = {
    settings.trusted-users = ["root" "nix-builder" "cyryl"];
    sshServe.enable = true;
    sshServe.keys = authorizedKeys;
  };
}