{ host, ... }:
{
  imports = [
    ./hardware-configuration.nix
  ];
  boot.tmp.cleanOnBoot = true;
  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = 1;
    "net.ipv6.conf.all.forwarding" = 1;
  };
  zramSwap.enable = true;
  swapDevices = [
    {
      device = "/swapfile";
      size = 2 * 1024;
    }
  ];
  services = {
    fail2ban.enable = true;
    fail2ban.maxretry = 5;
    fail2ban.bantime = "1h";
    fail2ban.ignoreIP = [
      "172.16.0.0/12"
      "192.168.0.0/16"
      "10.0.0.0/8"
      "tailc353f.ts.net"
    ];

    fail2ban.bantime-increment = {
      enable = true;
      multipliers = "1 2 4 8 16 32 64 128 256";
      maxtime = "24h";
      overalljails = true;
    };
    tailscale.enable = true;
    openssh = {
      enable = true;
      ports = [
        22
        2022
      ];
      settings = {
        PasswordAuthentication = false;
        PermitRootLogin = "prohibit-password";
        PermitEmptyPasswords = false;
        UseDns = false;
        KbdInteractiveAuthentication = false;
        X11Forwarding = false;
        AllowTcpForwarding = false;
        AllowAgentForwarding = false;
      };
      hostKeys = [
        {
          path = "/etc/ssh/ssh_host_ed25519_key";
          type = "ed25519";
        }
      ];
    };
  };
  networking = {
    domain = "";
    hostId = "81238132";
    hostName = host.hostName;
    firewall = {
      enable = true;
      allowedTCPPorts = [
        22
        2022
        80
        443
      ];
      logRefusedConnections = true;
    };
  };
  users.users.root.openssh.authorizedKeys.keys = [
    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcL53Gdrj5V9YDwKlCBIcgqiS+zHtOQpJlnOHTevJCJ e@t14''
    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14''
  ];
  system.stateVersion = "23.11";
}