{
  lib,
  sshPort ? 22,
  ...
}: {
  networking = {
    networkmanager.enable = true;

    # Use CloudFlare's WARP+ 1.1.1.1 DNS service
    nameservers = [
      "1.1.1.1"
      "1.0.0.1"
    ];

    firewall = {
      enable = lib.mkDefault true;
      allowedTCPPorts = [
        sshPort
      ];
    };
  };

  security = {
    # accept Lets Encrypt's security policy
    acme = {
      acceptTerms = true;
      defaults.email = "them@dobutterfliescry.net";
    };

    sudo = {
      enable = true;
      wheelNeedsPassword = true;
    };
    # allow SSH keys for passwordless auth
    pam = {
      enableSSHAgentAuth = true;
      services.sudo.sshAgentAuth = true; # pam_ssh_agent_auth module
    };
  };

  services = {
    openssh = {
      enable = true;
      ports = [sshPort];
      settings = {
        PasswordAuthentication = false;
        PermitRootLogin = "no";
        # AllowUsers = ["cry"]; # DO NOT ALLOW ALL
        UseDns = true;
        X11Forwarding = false;
      };
    };
  };
}