{ options, config, lib, pkgs, ... }:

with lib;
let
  cfg = config.modules.services.ssh;
in {
  options.modules.services.ssh = {
    enable = mkEnableOption "enable ssh. you know what ssh is";
    enableMoshSupport = mkEnableOption "enable mosh, a roaming, UDP-based ssh implementation";
  };

  config = mkIf cfg.enable {
    services.openssh = {
      enable = true;

      settings = {
        PasswordAuthentication = false;
        AllowUsers = null; # Allows all users by default, can be [ "user1" "user2" ]
        UseDns = true;
        PermitRootLogin = "no"; # "yes", "without-password", "prohibit-password", "forced-commands-only", "no"
      };
    };

    networking.firewall.allowedTCPPorts = [ 22 ];
    networking.firewall.allowedUDPPorts = [ 22 ];
  } // (mkIf cfg.enableMoshSupport {
    programs.mosh.enable = true;

    networking.firewall.allowedTCPPortRanges = { from = 60000; to = 61000; };
    networking.firewall.allowedUDPPortRanges = { from = 60000; to = 61000; };
  });
}