diff --git a/modules/module-list.nix b/modules/module-list.nix
index aa190c7d2..8b2215ba3 100644
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -82,6 +82,7 @@
   ./services/nix-gc
   ./services/nix-optimise
   ./services/ofborg
+  ./services/openssh.nix
   ./services/postgresql
   ./services/privoxy
   ./services/redis
diff --git a/modules/services/openssh.nix b/modules/services/openssh.nix
new file mode 100644
index 000000000..859f79d80
--- /dev/null
+++ b/modules/services/openssh.nix
@@ -0,0 +1,33 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.services.openssh;
+in
+{
+  options = {
+    services.openssh.enable = lib.mkOption {
+      type = lib.types.nullOr lib.types.bool;
+      default = null;
+      description = ''
+        Whether to enable Apple's built-in OpenSSH server.
+
+        The default is null which means let macOS manage the OpenSSH server.
+      '';
+    };
+  };
+
+  config = {
+    # We don't use `systemsetup -setremotelogin` as it requires Full Disk Access
+    system.activationScripts.launchd.text = lib.mkIf (cfg.enable != null) (if cfg.enable then ''
+      if [[ "$(systemsetup -getremotelogin | sed 's/Remote Login: //')" == "Off" ]]; then
+        launchctl enable system/com.openssh.sshd
+        launchctl bootstrap system /System/Library/LaunchDaemons/ssh.plist
+      fi
+    '' else ''
+      if [[ "$(systemsetup -getremotelogin | sed 's/Remote Login: //')" == "On" ]]; then
+        launchctl bootout system/com.openssh.sshd
+        launchctl disable system/com.openssh.sshd
+      fi
+    '');
+  };
+}