{
  config,
  lib,
  ...
}:
let
  cfg = config.nixfiles.modules.endlessh-go;
in
{
  options.nixfiles.modules.endlessh-go.enable = lib.mkEnableOption "endlessh-go";

  config = lib.mkIf cfg.enable {
    nixfiles.modules.unbound.zone.whitelist = [ "ip-api.com" ];

    services.endlessh-go = {
      enable = true;
      listenAddress = "0.0.0.0";
      port = 22;
      prometheus = {
        enable = true;
        listenAddress = "127.0.0.1";
        port = 9229;
      };
      extraOptions = [ "-geoip_supplier=ip-api" ];
    };

    environment.etc."alloy/endlessh.alloy".text = with config.services.endlessh-go.prometheus; ''
      prometheus.scrape "endlessh" {
        targets = [
          {
            __address__ = "${listenAddress}:${toString port}",
            instance    = "${config.networking.hostName}",
          },
        ]
        forward_to = [prometheus.relabel.default.receiver]
      }
    '';

    systemd.services.alloy.reloadTriggers = [ config.environment.etc."alloy/endlessh.alloy".source ];

    networking.firewall.allowedTCPPorts = [ config.services.endlessh-go.port ];
  };
}