{lib, ...}: {
  networking.firewall = {
    allowedTCPPorts = [
      42069 # ssh
    ];
  };

  security = {
    # accept Lets Encrypt's security policy
    acme = {
      acceptTerms = true;
      defaults.email = "eclarkboman@gmail.com";
    };

    sudo = {
      enable = true;
      wheelNeedsPassword = true;
    };
    # allow SSH keys for passwordless auth
    pam = {
      sshAgentAuth.enable = true;
      services.sudo.sshAgentAuth = true; # pam_ssh_agent_auth module
    };
  };

  services = {
    openssh = {
      enable = true;
      ports = [42069];
      settings = {
        PasswordAuthentication = false;
        PermitRootLogin = "no";
        AllowUsers = ["cry"]; # DO NOT ALLOW ALL
        UseDns = true;
        X11Forwarding = false;
      };
    };
  };

  # simple fail2ban config (not production ready or anything though)
  # refer to: https://nixos.wiki/wiki/Fail2Ban
  services.fail2ban = {
    enable = true;

    maxretry = 5;
    bantime = "10m"; # 10 minute ban
    bantime-increment = {
      enable = true;
      formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
      # multipliers = "1 2 4 8 16 32 64";
      maxtime = "168h"; # dont ban for more than 1 week
      overalljails = true;
    };
  };

  users = {
    users = {
      # primary user
      cry = {
        isNormalUser = true;
        home = "/home/cry";
        extraGroups = ["wheel"];
        openssh.authorizedKeys.keys = lib.mkDefault [
          (throw ''
            Hosts in the `server` group must set `users.users.cry.openssh.authorizedKeys.keys = [ ... ]`.
          '')
        ];
      };
    };
  };
}