{ lib, config, ... }:
let
  sshPort = 22;
in

{
  services.openssh = {
    enable = true;
    ports = [ sshPort ];

    settings = {
      # Harden
      PasswordAuthentication = true;
      PermitRootLogin = "no";
      # Automatically remove stale sockets
      StreamLocalBindUnlink = "yes";
    };

  };
  programs.ssh.extraConfig = ''
    Host git.bitlab21.com
        IdentitiesOnly yes
        StrictHostKeyChecking no
        IdentityFile /etc/ssh/deploy_key-ssh-ed25519
  '';
  networking.firewall.allowedTCPPorts = [ sshPort ];
}