{
  lib,
  config,
  ...
}:
{
  config.systemd.services = {
    sshd.serviceConfig = {
      MemoryDenyWriteExecute = true;
      SystemCallArchitectures = "native";
      RestrictSUIDSGID = true;
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
        "AF_UNIX"
      ];
      RestrictNamespaces = [
        "~pid"
        "~user"
        "~net"
        "~uts"
        "~mnt"
        "~cgroup"
        "~ipc"
      ];
      SystemCallFilter = [
        "@system-service"
        "@privileged"
      ];

      LockPersonality = true;
      ProtectControlGroups = true;
      ProtectKernelModules = true;
      PrivateMounts = true;
      ProtectProc = "invisible";
      ProtectClock = true;
      ProtectHostname = true;

      # file system
      PrivateTmp = true;
      ProtectSystem = "strict";
      ReadWritePaths = "/etc/ssh";
      RestrictRealtime = true;
      DevicePolicy = "closed"; # allow pseudo-devices like /dev/null, but no real devices

      CapabilityBoundingSet = [
        "CAP_NET_BIND_SERVICE"
        "CAP_SETGID"
        "CAP_SETUID"
        "CAP_SYS_CHROOT"
        "cap_dac_override"
      ];

      ProtectKernelLogs = true;
      ProtectKernelTunables = true;
      PrivateUsers = false; # important
      ProtectHome = false; # important
      NoNewPrivileges = false; # IMPORTANT: allow new privileges for spawned shells
      PrivateNetwork = false; # important
    };
  };
}