{ pkgs
, lib
, config
, ... }: with lib; let
  cfg = config.global.auth;
  pub = lib.pipe ./pub [
    builtins.readDir
    (lib.filterAttrs (n: ty: ty == "regular"))
    (lib.mapAttrsToList (n: _: builtins.readFile ./pub/${n}))
  ];
in {
  options.global.auth = {
    enable = mkEnableOption "identity authentication in various software" // { default = true; };
    openssh = {
      enable = mkEnableOption "openssh server";
      password = mkEnableOption "password authentication";
      publicKeys = mkOption {
        type = with types; listOf str;
        default = pub;
        description = "list of trusted openssh keys";
      };
      addr = mkOption {
        type = with types; nullOr str;
        default = "0.0.0.0";
        description = "Host, IPv4 or IPv6 address to listen to.";
      };
      port = mkOption {
        type = with types; nullOr int;
        default = 22;
        description = "Port to listen to.";
      };
    };
  };

  config = mkIf cfg.enable {
    services.openssh = mkIf cfg.openssh.enable {
      enable = true;
      listenAddresses = [ { inherit (cfg.openssh) addr port; } ];
      settings.KbdInteractiveAuthentication = cfg.openssh.password;
      settings.PasswordAuthentication = cfg.openssh.password;
    };

    networking.firewall.allowedTCPPorts = [ ] ++
    optional (cfg.openssh.enable && (cfg.openssh.port != null)) cfg.openssh.port;

    environment.persistence."/nix/persist/fhs".directories = [ ] ++
    optional cfg.openssh.enable "/etc/ssh";
  };
}