{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.nixfiles.modules.endlessh;
in {
  options.nixfiles.modules.endlessh.enable =
    mkEnableOption "endlessh";

  config = let
    port = 22;
  in
    mkIf cfg.enable {
      assertions = [
        {
          assertion = !(any (x: x == port) config.services.openssh.ports);
          message = "Port ${toString port} is already occupied by OpenSSH";
        }
      ];

      systemd.services.endlessh = {
        description = "Endlessh SSH Tarpit";
        requires = ["network-online.target"];
        serviceConfig = {
          Restart = "always";
          ExecStart = concatStringsSep " " [
            "${pkgs.endlessh}/bin/endlessh"
            "-v"
            "-4"
            "-p ${toString port}"
          ];
          KillSignal = "SIGTERM";
          AmbientCapabilities = "CAP_NET_BIND_SERVICE";
          DynamicUser = true;
          StateDirectory = "endlessh";
        };
        wantedBy = ["multi-user.target"];
      };

      networking.firewall.allowedTCPPorts = [port];
    };
}