{ ... }:
let
  lib = import <nixpkgs/lib>;
  opensshConfig = import ../config/openssh.nix;

  userExtraConfig =
    if opensshConfig ? extraConfig && opensshConfig.extraConfig ? users && builtins.isAttrs opensshConfig.extraConfig.users then
      opensshConfig.extraConfig.users
    else
      {};

  renderedUserMatches = lib.concatStringsSep "\n" (
    lib.mapAttrsToList (user: cfg: ''
      Match User ${user}
${cfg}
    '') userExtraConfig
  );
in
{
  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = true;
      PermitRootLogin = "no";
      GatewayPorts = "no";
      AllowUsers = opensshConfig.ssh_users;
    };
    extraConfig = renderedUserMatches;
  };

  networking.firewall.allowedTCPPorts = [ 22 ];
}