{
  config,
  lib,
  ...
}:
with lib; let
  cfg = config.nixfiles.modules.openssh;
in {
  options.nixfiles.modules.openssh.server = {
    enable = mkEnableOption "OpenSSH server";

    port = mkOption {
      description = "OpenSSH server port.";
      type = types.port;
      default = 22022; # Port 22 should be occupied by a tarpit.
    };
  };

  config = mkIf cfg.server.enable {
    # authorized_keys is not added here because it only contains my SSH keys and
    # all non-declarative ones are located in the home directory.
    ark.files = [
      "/etc/ssh/ssh_host_ed25519_key"
      "/etc/ssh/ssh_host_ed25519_key.pub"
      "/etc/ssh/ssh_host_rsa_key"
      "/etc/ssh/ssh_host_rsa_key.pub"
    ];

    programs.mosh.enable = true;

    services = {
      openssh = {
        enable = true;
        ports = [cfg.server.port];
        settings = {
          ClientAliveCountMax = 3;
          ClientAliveInterval = 60;
          KbdInteractiveAuthentication = false;
          LogLevel =
            if config.nixfiles.modules.fail2ban.enable
            then "VERBOSE"
            else "ERROR";
          MaxAuthTries = 3;
          PasswordAuthentication = false;
          PermitRootLogin = mkForce "no";
        };
      };

      fail2ban.jails.sshd = ''
        enabled = true
        mode = aggressive
        port = ${toString cfg.server.port}
      '';
    };
  };
}