{...}: {
  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
      AllowUsers = null;
      PermitRootLogin = "no";
    };
    banner = ''
      OI! THIS IS A REALLY PRIVATE SERVER
      IF YOU'RE NOT WHO I THINK YOU ARE THEN FOCK OFF!
    '';

    hostKeys = [
      {
        bits = 4096;
        path = "/etc/ssh/ssh_host_rsa_key";
        type = "rsa";
      }
      {
        path = "/etc/ssh/ssh_host_ed25519_key";
        type = "ed25519";
      }
    ];
  };

  programs.ssh.startAgent = true;
  programs.mtr.enable = true;
  programs.gnupg.agent.enable = true;
}