{ config, lib, ... }:
with lib;
let
  cfg = config.nixfiles.modules.openssh;
in
{
  options.nixfiles.modules.openssh.server = {
    enable = mkEnableOption "OpenSSH server";

    port = mkOption {
      description = "OpenSSH server port.";
      type = types.port;
      default = 22022; # Port 22 should be occupied by a tarpit.
    };
  };

  config = mkIf cfg.server.enable {
    ark.files = [
      "/etc/ssh/ssh_host_ed25519_key"
      "/etc/ssh/ssh_host_ed25519_key.pub"
      "/etc/ssh/ssh_host_rsa_key"
      "/etc/ssh/ssh_host_rsa_key.pub"
    ];

    programs.mosh.enable = true;

    services = {
      openssh = {
        enable = true;
        ports = [ cfg.server.port ];
        settings = {
          ClientAliveCountMax = 3;
          ClientAliveInterval = 60;
          KbdInteractiveAuthentication = false;
          LogLevel = if config.nixfiles.modules.fail2ban.enable then "VERBOSE" else "ERROR";
          MaxAuthTries = 3;
          PasswordAuthentication = false;
          PermitRootLogin = mkForce "no";
        };
      };

      fail2ban.jails.sshd = {
        enabled = true;
        settings = {
          mode = "aggressive";
          inherit (cfg.server) port;
        };
      };
    };
  };
}