{ lib, config, ... }:
{
  programs.ssh.startAgent = false;

  services = {
    fail2ban.jails.sshd.settings = {
      enabled = true;
      filter = "sshd[mode=aggressive]";
      port = lib.strings.concatStringsSep "," (map toString config.services.openssh.ports);
    };

    openssh = {
      enable = true;
      ports = [ 22 ];
      openFirewall = false;

      settings = {
        KexAlgorithms = [
          "curve25519-sha256"
          "curve25519-sha256@libssh.org"
          "diffie-hellman-group16-sha512"
          "diffie-hellman-group18-sha512"
          "diffie-hellman-group-exchange-sha256"
          "sntrup761x25519-sha512@openssh.com"
        ];

        Macs = [
          "hmac-sha2-512-etm@openssh.com"
          "hmac-sha2-256-etm@openssh.com"
          "umac-128-etm@openssh.com"
        ];
      };
    };
  };
}