{ config, ... }:
{
  services.openssh = {
    enable = true;
    hostKeys = [ { path = config.secrets.files.ssh_host_ed25519_key.file; type = "ed25519"; } ];
    settings = {
      KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
      Macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
      PermitRootLogin = "no";
      KbdInteractiveAuthentication = false;
      PasswordAuthentication = false;

    };
  };

  programs.ssh.knownHosts = {
    despondos = {
      hostNames = [ "despondos.nao.sh" ];
      publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
    };
  };

  services.sshguard = {
    enable = true;
    blocktime = 300;
  };
}