{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.nixfiles.modules.openssh;
in {
  options.nixfiles.modules.openssh.server = {
    enable = mkEnableOption "OpenSSH server";

    port = mkOption {
      description = "OpenSSH server port.";
      type = types.port;
      default = 22022; # Port 22 should be occupied by a tarpit.
    };
  };

  config = mkIf cfg.server.enable {
    programs.mosh.enable = true;

    services = {
      openssh = {
        enable = true;
        ports = [cfg.server.port];
        logLevel = "VERBOSE"; # Required by fail2ban.
        permitRootLogin = mkForce "no";
        passwordAuthentication = false;
      };

      fail2ban.jails.sshd = ''
        enabled = true
        mode = aggressive
        port = ${toString cfg.server.port}
      '';
    };
  };
}