nix/hosts/common/configs/system/sshd/default.nix

{ ... }:
{
  nixpkgs.overlays = [
    (final: prev: {
      fail2ban = prev.fail2ban.overrideAttrs (oldAttrs: {
        patches = oldAttrs.patches or [ ] ++ [ ./remove-umask.patch ];
      });
    })
  ];

  environment = {
    enableAllTerminfo = true;
    persistence."/persist/state"."/var/lib/fail2ban" = { };
  };

  services = {
    openssh = {
      enable = true;
      settings = {
        PasswordAuthentication = false;
        PrintMotd = false;
      };
    };

    fail2ban = {
      enable = true;
      bantime = "24h";
      bantime-increment = {
        enable = true;
        maxtime = "720h";
        overalljails = true;
      };
    };
  };

  systemd.services.fail2ban.serviceConfig = {
    User = "root";
    Group = "fail2ban";
    UMask = "0117";
  };

  users.groups.fail2ban = { };
}