{ config, lib, ... }: {

    options = {
        sysconfig.services.openssh.enable = lib.options.mkOption {
            type = lib.types.bool;
            default = false;
        };
    };

    config = lib.mkIf config.sysconfig.services.openssh.enable {

        networking.firewall.allowedTCPPorts = [ 22 ];
        
        services.openssh = {
            enable = true;
            settings = {
                PermitRootLogin = lib.mkForce "no";
                PasswordAuthentication = false;
                KbdInteractiveAuthentication = false;
            };
        };
    };
}