{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.nixfiles.modules.openssh;
in {
  options.nixfiles.modules.openssh.server = {
    enable = mkEnableOption "OpenSSH server";

    port = mkOption {
      description = "OpenSSH server port.";
      type = types.port;
      default = 22022; # Port 22 should be occupied by a tarpit.
    };
  };

  config = mkIf cfg.server.enable {
    # TODO Enable on a fresh system.
    # ark = {
    #   files = [
    #     "/etc/ssh/ssh_host_ed25519_key"
    #     "/etc/ssh/ssh_host_ed25519_key.pub"
    #     "/etc/ssh/ssh_host_rsa_key"
    #     "/etc/ssh/ssh_host_rsa_key.pub"
    #   ];
    #   directories = ["/etc/ssh/authorized_keys.d"];
    # };

    programs.mosh.enable = true;

    services = {
      openssh = {
        enable = true;
        ports = [cfg.server.port];
        settings = {
          AllowUsers = my.username;
          ClientAliveCountMax = 3;
          ClientAliveInterval = 60;
          KbdInteractiveAuthentication = false;
          LogLevel =
            if config.nixfiles.modules.fail2ban.enable
            then "VERBOSE"
            else "ERROR";
          MaxAuthTries = 3;
          PasswordAuthentication = false;
          PermitRootLogin = mkForce "no";
        };
      };

      fail2ban.jails.sshd = ''
        enabled = true
        mode = aggressive
        port = ${toString cfg.server.port}
      '';
    };
  };
}