{ config, lib, ... }:
let
  cfg = config.my.systems.ssh;
in
{
  options.my.systems.ssh = {
    enable = lib.mkEnableOption "Enable SSH Server";
  };

  config = lib.mkIf cfg.enable {

    services.openssh = {
      enable = true;

      # require public key authentication for better security
      settings.PasswordAuthentication = false;
      settings.KbdInteractiveAuthentication = false;
      settings.PermitRootLogin = false;
    };
  };
}