{
  config,
  pkgs,
  lib,
  ...
}: {
  # For rage encryption, all hosts need a ssh key pair
  services.openssh = {
    enable = true;
    # If you don't want the host to have SSH actually opened up to the net,
    # set `services.openssh.openFirewall` to false in your config.
    openFirewall = lib.mkDefault true;
    passwordAuthentication = lib.mkDefault false;
  };

  # Service that makes Out of Memory Killer more effective
  services.earlyoom.enable = true;
}