{ lib, config, ... }:
let
  enabled = config.mod.ssh.enable;

  rootSSHKeyPath = "/etc/ssh";
in
{
  options = {
    mod.ssh = {
      enable = lib.mkEnableOption "enable ssh module";
    };
  };

  config = lib.mkIf enabled {
    home-manager.users.alex = {
      programs.ssh = {
        enable = true;
      };
    };

    services = {
      openssh = {
        enable = true;
        ports = [ 1122 ];

        hostKeys = [{
          path = "${rootSSHKeyPath}/root.backwards";
          type = "ed25519";
        }];
      };
    };

    networking = {
      firewall = {
        allowedTCPPorts = [ 1122 ];
      };
    };

    age.secrets = {
      "root.backwards" = {
        file = ../../../../secrets/backwards/root.backwards.age;
        path = "${rootSSHKeyPath}/root.backwards";
      };
      "root.backwards.pub" = {
        file = ../../../../secrets/backwards/root.backwards.pub.age;
        path = "${rootSSHKeyPath}/root.backwards.pub";
      };
    };
  };
}