{ lib, config, ... }:
let
  sshPort = 22;
in

{
  services.openssh = {
    enable = true;
    ports = [ sshPort ];

    settings = {
      # Harden
      PasswordAuthentication = true;
      PermitRootLogin = "no";
      # Automatically remove stale sockets
      StreamLocalBindUnlink = "yes";
    };

  };

  networking.firewall.allowedTCPPorts = [ sshPort ];
}