{
  lib,
  pkgs,
  config,
  ...
}:
with lib; let
  cfg = config.custom.sshd;
in {
  #define option to enable this
  options.custom.sshd.enable = mkEnableOption "Enable SSH";

  config = mkIf cfg.enable {
    services.openssh = {
      enable = true;
      permitRootLogin = "no";
      passwordAuthentication = false;
    };

    networking.firewall.allowedTCPPorts = [22];
  };
}