This PR adds fail2ban-service-type with a sshd jail setup and iptables-service-type with some basic rules which blocks all incoming traffic by default and only allow certain things like ssh on port 2222, HTTP on 80 and HTTPS 443.
This also adds a couple more options to openssh-service-type to disable root-login and password-authentication, so you can only login via a valid ssh key.