{ pkgs, lib, config, ... }:
let
  enabled = config.mod.ssh.enable;

  authorizedKeysPath = "/home/alex/.ssh/authorized-keys";
in
{
  options = {
    mod.ssh = {
      enable = lib.mkEnableOption "enable ssh module";
    };
  };

  config = lib.mkIf enabled {
    home-manager.users.alex = {
      programs.ssh = {
        enable = true;

        matchBlocks = {
          "codeberg.org" = {
            hostname = "codeberg.org";
            identityFile = "/home/alex/.ssh/alex.tadpole-codeberg.org";
          };
        };
      };
    };

    environment.etc."ssh/authorized_keys_command" = {
      mode = "0755";
      text = ''
        #!${pkgs.bash}/bin/bash
        for file in ${authorizedKeysPath}/*; do
          ${pkgs.coreutils}/bin/cat "$file"
        done
      '';
    };

    age.secrets = {
      "alex.pinwheel-tadpole.pub" = {
        file = ../../../../secrets/pinwheel/alex.pinwheel-tadpole.pub.age;
        path = "${authorizedKeysPath}/alex.pinwheel-tadpole.pub";
      };

      "alex.tadpole-codeberg.org" = {
        file = ../../../../secrets/tadpole/alex.tadpole-codeberg.org.age;
        path = "/home/alex/.ssh/alex.tadpole-codeberg.org";
        owner = "alex";
        group = "users";
      };
      "alex.tadpole-codeberg.org.pub" = {
        file = ../../../../secrets/tadpole/alex.tadpole-codeberg.org.pub.age;
        path = "/home/alex/.ssh/alex.tadpole-codeberg.org.pub";
        owner = "alex";
        group = "users";
      };
    };

    services = {
      openssh = {
        enable = true;
        ports = [ 1122 ];

        hostKeys = [{
          path = "/etc/ssh/tadpole";
          type = "ed25519";
        }];

        settings = {
          PasswordAuthentication = false;
          KbdInteractiveAuthentication = false;
        };

        authorizedKeysCommand = "/etc/ssh/authorized_keys_command";
        authorizedKeysCommandUser = "root";
      };
    };

    networking = {
      firewall = {
        allowedTCPPorts = [ 1122 ];
      };
    };
  };
}