diff --git a/faucet/auth/default.nix b/faucet/auth/default.nix
new file mode 100644
index 00000000..1c433054
--- /dev/null
+++ b/faucet/auth/default.nix
@@ -0,0 +1,49 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.faucet.auth;
+  pub = lib.pipe ./pub [
+    builtins.readDir
+    (lib.filterAttrs (n: ty: ty == "regular"))
+    (lib.mapAttrsToList (n: _: builtins.readFile ./pub/${n}))
+  ];
+in {
+  options.faucet.auth = {
+    enable = mkEnableOption "identity authentication in various software" // { default = true; };
+    openssh = {
+      enable = mkEnableOption "openssh server";
+      password = mkEnableOption "password authentication";
+      publicKeys = mkOption {
+        type = with types; listOf str;
+        default = pub;
+        description = "list of trusted openssh keys";
+      };
+      addr = mkOption {
+        type = with types; nullOr str;
+        default = "0.0.0.0";
+        description = "Host, IPv4 or IPv6 address to listen to.";
+      };
+      port = mkOption {
+        type = with types; nullOr int;
+        default = 22;
+        description = "Port to listen to.";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.openssh = mkIf cfg.openssh.enable {
+      enable = true;
+      listenAddresses = [ { inherit (cfg.openssh) addr port; } ];
+      settings.KbdInteractiveAuthentication = cfg.openssh.password;
+      settings.PasswordAuthentication = cfg.openssh.password;
+    };
+
+    networking.firewall.allowedTCPPorts = [ ] ++
+    optional (cfg.openssh.enable && (cfg.openssh.port != null)) cfg.openssh.port;
+
+    environment.persistence."/nix/persist/fhs".directories = [ ] ++
+    optional cfg.openssh.enable "/etc/ssh";
+  };
+}