{
  config,
  inputs,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.nixfiles.modules.endlessh-go;
in {
  # imports = ["${inputs.nixpkgs-local}/nixos/modules/services/security/endlessh-go.nix"];

  options.nixfiles.modules.endlessh-go = {
    enable = mkEnableOption "endlessh-go";

    prometheusPort = mkOption {
      description = "Prometheus port.";
      type = with types; port;
      default = 9119;
    };
  };

  config = let
    port = 22;
  in
    mkIf cfg.enable {
      assertions = [
        {
          assertion = !(any (x: x == port) config.services.openssh.ports);
          message = "Port ${toString port} is already occupied by OpenSSH";
        }
      ];

      systemd.services.endlessh-go = {
        description = "Endlessh SSH Tarpit";
        requires = ["network-online.target"];
        serviceConfig = {
          Restart = "always";
          ExecStart = concatStringsSep " " [
            "${pkgs.endlessh-go}/bin/endlessh-go"
            "-conn_type=tcp4"
            "-host=0.0.0.0"
            "-port=${toString port}"
            "-enable_prometheus"
            "-prometheus_port=${toString cfg.prometheusPort}"
            "-geoip_supplier=ip-api"
            "-logtostderr"
            "-v=1"
          ];
          KillSignal = "SIGTERM";
          AmbientCapabilities = "CAP_NET_BIND_SERVICE";
          DynamicUser = true;
          StateDirectory = "endlessh-go";
        };
        wantedBy = ["multi-user.target"];
      };

      networking.firewall.allowedTCPPorts = [port];
    };
}