{ lib, config, ... }:
with lib;
{
  config = {
    services.openssh = {
      enable = true;
      settings = {
        StrictModes = true;
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
        PermitEmptyPasswords = "no";
      };
    };

    networking.firewall.allowedTCPPorts = [
      (mkIf config.services.nginx.enable 80)
      (mkIf config.services.nginx.enable 443)
      (mkIf config.services.openssh.enable 22)
    ];
  };
}