{
  pkgs,
  config,
  lib,
  assets,
  ...
}:
with lib;
with types;
let
  cfg = config.components.network.sshd;

  # maybe ascii-image-converter is also nice here
  sshBanner = pkgs.runCommand "ssh-banner" { nativeBuildInputs = [ pkgs.boxes ]; } ''
    echo "${config.networking.hostName}" | boxes -d ansi -s 80x1 -a r > $out
  '';

in
{

  imports = [
    ./known-hosts-public.nix
    ./known-hosts-manual.nix
    ./known-hosts-zerotier.nix
  ];

  options.components.network.sshd = {
    enable = mkOption {
      type = bool;
      default = true;
    };
    onlyTincAccess = mkOption {
      type = bool;
      default = false;
      description = ''
        make sure ssh is only available trough the tinc
      '';
    };
  };

  config = mkMerge [

    (mkIf cfg.enable {

      environment.systemPackages = [
        pkgs.sshfs
        pkgs.mosh
      ];

      services.openssh = {
        enable = true;
        settings.X11Forwarding = false;
        settings.PasswordAuthentication = false;

        # We might want to remove this once, openssh is fixed everywhere:
        # Workaround for CVE-2024-6387 and CVE-2024-6409
        # https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128
        # settings.LoginGraceTime = 0;
      };

      # todo enable again when I can it's possible to set the `-q` ssh option in clan
      #services.openssh.banner = builtins.readFile sshBanner;

    })

    (mkIf (cfg.onlyTincAccess && cfg.enable) {
      # fixme: this is not working
      networking.firewall.extraCommands = ''
        iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
      '';
    })
  ];

}