{ pkgs, config, lib, ... }:

let
  cfg = config.system.ssh;
in
{
  options.system.ssh = {
    enable = lib.mkEnableOption "enables ssh";
  };

  config = lib.mkIf cfg.enable {
    # enable and configure openssh
    services.openssh = {
      enable = true;
      settings = {
        PasswordAuthentication = true;
        PermitRootLogin = "no";
        X11Forwarding = false;
      };
    };
    # open firewall
    networking.firewall.allowedTCPPorts = [ 22 ];
  };
}