diff --git a/hosts/sombrero/configuration.nix b/hosts/sombrero/configuration.nix
index 1236722..e3b250b 100644
--- a/hosts/sombrero/configuration.nix
+++ b/hosts/sombrero/configuration.nix
@@ -70,20 +70,9 @@
         };
       };
     };
-
-    firewall = {
-      allowedTCPPorts = [
-        1122  # ssh
-      ];
-    };
   };
 
   services = {
-    openssh = {
-      enable = true;
-      ports = [ 1122 ];
-    };
-
     transmission = {
       enable = true;
       openFirewall = true;
@@ -169,6 +158,7 @@
   };
 
   mod = {
+    ssh.enable = true;
     docker.enable = true;
     nginx.enable = true;
     syncthing.enable = true;
diff --git a/hosts/sombrero/modules/ssh/default.nix b/hosts/sombrero/modules/ssh/default.nix
new file mode 100644
index 0000000..aacf2d5
--- /dev/null
+++ b/hosts/sombrero/modules/ssh/default.nix
@@ -0,0 +1,26 @@
+{ lib, config, ... }:
+let
+  enabled = config.mod.ssh.enable;
+in
+{
+  options = {
+    mod.ssh = {
+      enable = lib.mkEnableOption "enable ssh module";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    services = {
+      openssh = {
+        enable = true;
+        ports = [ 1122 ];
+      };
+    };
+
+    networking = {
+      firewall = {
+        allowedTCPPorts = [ 1122 ];
+      };
+    };
+  };
+}