nix/hosts/common/configs/system/sshd/default.nix

{ ... }:
{
  environment = {
    enableAllTerminfo = true;
    persistence."/persist/state"."/var/lib/fail2ban" = { };
  };

  services = {
    openssh = {
      enable = true;
      settings = {
        PasswordAuthentication = false;
        PrintMotd = false;
      };
    };

    fail2ban = {
      enable = true;
      bantime = "24h";
      bantime-increment = {
        enable = true;
        maxtime = "720h";
        overalljails = true;
      };
    };
  };
}