{
  ...
}:
{
  imports = [
    ../modules/common.nix
  ];

  virtualisation = {
    docker = {
      enable = true;
      daemon.settings.dns = [
        "1.1.1.1"
        "1.0.0.1"
      ];
    };
  };

  users.users.mel.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTG/DHTkuQgwLakSBuXx3XBe+WjUmDlSgLBGzldx/ZD mel@moissanite"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDlqytVSNMFAfbB+rdiNktv3WYViVBMeK7zUO2Pjfii+ mel@corsac"
  ];
  services = {
    openssh = {
      enable = true;
      ports = [ 62322 ]; # listen on random port
      openFirewall = true;
      settings = {
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
        PermitRootLogin = "no";
      };
    };

    # annoy every ssh spammer
    endlessh = {
      enable = true;
      port = 22;
      openFirewall = true;
    };

    # ban those who found the real port
    fail2ban.enable = true;
  };
}