{ ... }:
{
  flake.modules.nixos.openssh =
    {
      config,
      lib,
      host ? {
        isServer = false;
      },
      ...
    }:
    let
      hostUserNames = builtins.attrNames (
        lib.filterAttrs (_: user: user.isNormalUser or false) config.users.users
      );
    in
    {
      services.openssh = {
        enable = true;
        openFirewall = host.isServer;
        settings = {
          PermitRootLogin = "no";
          PasswordAuthentication = false;
          AllowUsers = hostUserNames;
        };
      };
    };
}