{
  pkgs,
  lib,
  config,
  ...
}:
with lib;
let
  cfg = config.global.auth;
  pub = lib.pipe ./pub [
    builtins.readDir
    (lib.filterAttrs (n: ty: ty == "regular"))
    (lib.mapAttrsToList (n: _: builtins.readFile ./pub/${n}))
    (foldr (payload: keys: (splitString "\n" payload) ++ keys) [ ])
    (foldr (candidate: keys: keys ++ (if candidate == "" then [ ] else [ candidate ])) [ ])
  ];
in
{
  options.global.auth = {
    enable = mkEnableOption "identity authentication in various software" // {
      default = true;
    };
    openssh = {
      enable = mkEnableOption "openssh server";
      password = mkEnableOption "password authentication";
      publicKeys = mkOption {
        type = with types; listOf singleLineStr;
        default = pub;
        description = "list of trusted openssh keys";
      };
      addr = mkOption {
        type = with types; nullOr str;
        default = "0.0.0.0";
        description = "Host, IPv4 or IPv6 address to listen to.";
      };
      port = mkOption {
        type = with types; nullOr int;
        default = 22;
        description = "Port to listen to.";
      };
    };
  };

  config = mkIf cfg.enable {
    services.openssh = mkIf cfg.openssh.enable {
      enable = true;
      listenAddresses = [ { inherit (cfg.openssh) addr port; } ];
      settings.KbdInteractiveAuthentication = cfg.openssh.password;
      settings.PasswordAuthentication = cfg.openssh.password;
    };

    networking.firewall.allowedTCPPorts =
      [ 1300 ]
      # utility port
      ++ optional (cfg.openssh.enable && (cfg.openssh.port != null)) cfg.openssh.port;

    environment.persistence."/nix/persist/fhs".directories =
      [ ]
      ++ optional cfg.openssh.enable "/etc/ssh";
  };
}