{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.nixfiles.modules.openssh;
in {
  options.nixfiles.modules.openssh.server.enable =
    mkEnableOption "OpenSSH server";

  config = mkIf cfg.server.enable {
    programs.mosh.enable = true;

    services = let
      port = 22022; # Port 22 should be occupied by a tarpit.
    in {
      openssh = {
        enable = true;
        ports = [port];
        logLevel = "VERBOSE"; # Required by fail2ban.
        permitRootLogin = "no";
        passwordAuthentication = false;
      };

      fail2ban.jails.sshd = ''
        enabled = true
        mode = aggressive
        port = ${toString port}
      '';
    };
  };
}