{
  lib,
  config,
  ...
}: let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.horseman.network.ssh;
in {
  options = {
    horseman.network.ssh = {
      enable = mkEnableOption "";
    };
  };

  config = mkIf cfg.enable {
    services.openssh = {
      enable = true;
      settings = {
        PermitRootLogin = "no";
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
        AllowUsers = ["horseman"];
      };
      extraConfig = ''
        Hostkey ${config.age.secrets.personalSSH.path}
        Hostkey ${config.age.secrets.githubSSH.path}
      '';
    };
  };
}