diff --git a/nixarr/jellyfin/default.nix b/nixarr/jellyfin/default.nix
index eafe605..b65dd6e 100644
--- a/nixarr/jellyfin/default.nix
+++ b/nixarr/jellyfin/default.nix
@@ -25,7 +25,10 @@ in {
 
     expose = {
       enable = mkEnableOption ''
-        Enable expose for Jellyfin, exposing the web service to the internet.
+        Expose the Jellyfin web service to the internet.
+
+        **Important:** Do _not_ enable this without setting up Jellyfin
+        authentication through localhost first!
       '';
 
       upnp.enable = mkEnableOption ''
@@ -35,13 +38,13 @@ in {
       domainName = mkOption {
         type = types.nullOr types.str;
         default = null;
-        description = "REQUIRED! The domain name to host Jellyfin on.";
+        description = "**REQUIRED:** The domain name to host Jellyfin on.";
       };
 
       acmeMail = mkOption {
         type = types.nullOr types.str;
         default = null;
-        description = "REQUIRED! The ACME mail required for the letsencrypt bot.";
+        description = "**REQUIRED:** The ACME mail required for the letsencrypt bot.";
       };
     };
   };
diff --git a/nixarr/openssh/default.nix b/nixarr/openssh/default.nix
new file mode 100644
index 0000000..2d073fa
--- /dev/null
+++ b/nixarr/openssh/default.nix
@@ -0,0 +1,42 @@
+# TODO: Dir creation and file permissions in nix
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.nixarr.openssh;
+in {
+  options.nixarr.openssh.vpn.enable = {
+    type = types.bool;
+    default = false;
+    description = ''
+      Run the openssh service through a vpn.
+      
+      **Note:** This option does _not_ enable the sshd service you still
+      need to setup sshd in your nixos configuration, fx:
+
+      ```nix
+        services.openssh = {
+          enable = true;
+          settings.PasswordAuthentication = false;
+        };
+
+        users.extraUsers.username.openssh.authorizedKeys.keyFiles = [
+          ./path/to/public/key/machine.pub}
+        ];
+      ```
+    '';
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.openssh = mkIf (cfg.vpn.enable && config.services.openssh.enable) {
+      bindsTo = [ "netns@wg.service" ];
+      requires = [ "network-online.target" ];
+      after = [ "wg.service" ];
+      serviceConfig = {
+        NetworkNamespacePath = "/var/run/netns/wg";
+      };
+    };
+  };
+}