{ lib, config, ... }:
with lib;
{
  options.server.networking.enableSSH = mkOption {
    type = types.bool;
    default = true;
    example = false;
  };

  config = {
    services.openssh = mkIf config.server.networking.enableSSH {
      enable = true;
      settings = {
        StrictModes = true;
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
        PermitEmptyPasswords = "no";
      };
    };

    networking.firewall.allowedTCPPorts = [
      (mkIf config.services.nginx.enable 80)
      (mkIf config.services.nginx.enable 443)
      (mkIf config.server.networking.enableSSH 22)
    ];
  };
}