{ options, config, lib, pkgs, ... }:

with lib;
let
  cfg = config.modules.services.ssh;
in {
  options.modules.services.ssh = {
    enable = mkEnableOption "enable ssh. you know what ssh is";
    enableMoshSupport = mkEnableOption "enable mosh, a roaming, UDP-based ssh implementation";
  };

  config = mkIf cfg.enable (mkMerge [
    {
      services.openssh = {
        enable = true;
        ports = [ 22 ];
        settings = {
          PasswordAuthentication = false;
          AllowUsers = null; # Allows all users by default, can be [ "user1" "user2" ]
          UseDns = true;
          PermitRootLogin = "no"; # "yes", "without-password", "prohibit-password", "forced-commands-only", "no"
        };
      };

      networking.firewall.allowedTCPPorts = [ 22 ];
      networking.firewall.allowedUDPPorts = [ 22 ];
    }
    (mkIf cfg.enableMoshSupport {
      programs.mosh.enable = true;

      networking.firewall.allowedTCPPortRanges = [ { from = 60000; to = 61000; } ];
      networking.firewall.allowedUDPPortRanges = [ { from = 60000; to = 61000; } ];
    })
  ]);
}