{lib, ...}: {
  networking.firewall = {
    allowedTCPPorts = [
      22
    ];
  };

  security = {
    # accept Lets Encrypt's security policy
    acme = {
      acceptTerms = true;
      defaults.email = "them@dobutterfliescry.net";
    };

    sudo = {
      enable = true;
      wheelNeedsPassword = true;
    };
    # allow SSH keys for passwordless auth
    pam = {
      sshAgentAuth.enable = true;
      services.sudo.sshAgentAuth = true; # pam_ssh_agent_auth module
    };
  };

  services = {
    openssh = {
      enable = true;
      ports = [22];
      settings = {
        PasswordAuthentication = false;
        PermitRootLogin = "no";
        AllowUsers = ["cry"]; # DO NOT ALLOW ALL
        UseDns = true;
        X11Forwarding = false;
      };
    };
  };

  users = {
    users = {
      # primary user
      cry = {
        isNormalUser = true;
        home = "/home/cry";
        extraGroups = ["wheel"];
        openssh.authorizedKeys.keys = lib.mkOverride 900 [
          (throw ''
            Hosts in the `server` group must set `users.users.cry.openssh.authorizedKeys.keys = [ ... ]`.
          '')
        ];
      };
    };
  };
}