{ config, ... }: { services = { fail2ban.enable = true; openssh = { permitRootLogin = "prohibit-password"; passwordAuthentication = false; enable = true; }; }; networking.firewall.allowedTCPPorts = [ 22 ]; }