{ pkgs, config, lib, assets, ... }:
with lib;
with types;
let
  defaultRootKeyFiles = [ "${assets}/mrvandalo_rsa.pub" ];
  cfg = config.components.network.sshd;

  # maybe ascii-image-converter is also nice here
  sshBanner = pkgs.runCommand "ssh-banner"
    { nativeBuildInputs = [ pkgs.boxes ]; } ''
    echo "${config.networking.hostName}" | boxes -d ansi -s 80x1 -a r > $out
  '';


in
{

  imports = [
    ./known-hosts-public.nix
    ./known-hosts-manual.nix
    ./known-hosts-zerotier.nix
  ];

  options.components.network.sshd = {
    enable = mkOption {
      type = bool;
      default = true;
    };
    rootKeyFiles = mkOption {
      type = with types; listOf path;
      default = [ ];
      description = "keys to root login";
    };
    sshguard.enable = mkOption {
      type = bool;
      default = config.components.network.sshd.enable;
    };
    onlyTincAccess = mkOption {
      type = bool;
      default = false;
      description = ''
        make sure ssh is only available trough the tinc
      '';
    };
  };

  config = mkMerge [

    (mkIf cfg.enable {

      environment.systemPackages = [
        pkgs.sshfs
        pkgs.mosh
      ];

      services.openssh = {
        enable = true;
        settings.X11Forwarding = false;
        settings.PasswordAuthentication = false;
      };

      users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles;

      # todo enable again when I can it's possible to set the `-q` ssh option in clan
      #services.openssh.banner = builtins.readFile sshBanner;

    })

    (mkIf cfg.sshguard.enable {
      environment.systemPackages = [ pkgs.ipset ];
      services.sshguard.enable = lib.mkDefault true;
    })

    (mkIf (cfg.onlyTincAccess && cfg.enable) {
      networking.firewall.extraCommands = ''
        iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
      '';
    })
  ];

}