{ config, lib, pkgs, ... }:
let nathan = config.nathan;
in with lib; {
  config = mkIf nathan.services.ssh {
    networking.firewall = {
      allowedTCPPorts = [ 22 ];
      allowedUDPPorts = [ 22 ];
    };

    services.openssh = {
      enable = true;
      extraConfig = ''
        StreamLocalBindUnlink yes
      '';
      listenAddresses = [{
        addr = "0.0.0.0";
        port = 22;
      }];
      settings = {
        PasswordAuthentication = false;
        PermitRootLogin = "no";
      };
    };

    # Enable mosh for connecting from  phone or bad internet
    programs.mosh.enable = true;
  };
}