{...}: {
  services.openssh = {
    enable = true;
    ports = [22];
    settings = {
      UseDns = true;
      PermitRootLogin = "no";
      PasswordAuthentication = false;
      GatewayPorts = "yes";
      LogLevel = "VERBOSE";
    };
  };
  services.traefik.dynamicConfigOptions.tcp = {
    routers.ssh = {
      rule = "ClientIP(`192.168.0.0/16`)";
      entryPoints = ["ssh"];
      service = "ssh-redirect";
    };
    services.ssh-redirect.loadBalancer.servers = [{address = "localhost:22";}];
  };
}