{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.nixfiles.modules.openssh;
in {
  options.nixfiles.modules.openssh = {
    client.enable = mkEnableOption "Whether to enable OpenSSH client.";
    server.enable = mkEnableOption "Whether to enable OpenSSH server.";
  };

  config = mkMerge [
    (mkIf cfg.client.enable {
      hm = {
        home.packages = with pkgs; [mosh sshfs];

        programs.ssh = {
          enable = true;
          controlMaster = "auto";
          controlPersist = "24H";
          hashKnownHosts = true;
          serverAliveCountMax = 30;
          serverAliveInterval = 60;
        };
      };
    })
    (mkIf cfg.server.enable {
      programs.mosh.enable = true;

      services = let
        port = 22022;
      in {
        openssh = {
          enable = true;
          ports = [port];
          logLevel = "VERBOSE";
          permitRootLogin = "no";
          passwordAuthentication = false;
        };

        fail2ban.jails.sshd = ''
          enabled = true
          mode = aggressive
          port = ${toString port}
        '';
      };
    })
  ];
}