{
  povSelf,
  config,
  lib,
  ...
}:
let
  inherit (lib) types;
  cfg = lib.getAttrFromPath povSelf config;

in
{

  options = {
    enable = {
      type = types.bool;
      default = false;
    };
    enableRSASupport = {
      type = types.bool;
      default = false;
    };
    port = {
      type = types.port;
      default = 22;
    };
  };

  config = lib.mkIf cfg.enable {
    users.groups = {
      ssh = {
        gid = 200;
      };
      sftp = {
        gid = 201;
      };
    };

    # this is required because the secrets need to be decryped before the users get created
    # but the impermanence bind-mounts get created _after_ the user creation...
    sops.age.sshKeyPaths = [
      (
        if config.modules.filesystem.impermanence.system.enable then
          "/nix/persist/system/var/lib/sshd/ed25519_hostkey"
        else
          "/var/lib/sshd/ed25519_hostkey"
      )
    ];

    modules.filesystem.impermanence.system.dirs = [ "/var/lib/sshd" ];

    services.openssh = {
      enable = true;

      # Use socket activation via systemd
      startWhenNeeded = true;

      # Hostkeys
      hostKeys = [
        {
          type = "ed25519";
          path = "/var/lib/sshd/ed25519_hostkey";
        }
      ];

      ports = [ cfg.port ];

      # TODO: Find out why the heck this kills my gpg-agent
      # extraConfig = "HostCertificate /run/secrets/hostcert";

      settings = {

        # Disable password authentication to enforce pubkey authentication
        PasswordAuthentication = false;

        # Disable keyboardinteractive authentication
        KbdInteractiveAuthentication = false;

        X11Forwarding = false;

        # Only allow users of the ssh and sftp groups to connect
        AllowGroups = [
          "sftp"
          "ssh"
        ];

        CASignatureAlgorithms = lib.concatStringsSep "," [
          "ssh-ed25519"
          "sk-ssh-ed25519@openssh.com"
        ];

        HostBasedAcceptedAlgorithms = lib.concatStringsSep "," [
          "ssh-ed25519-cert-v01@openssh.com"
          "sk-ssh-ed25519-cert-v01@openssh.com"
          "ssh-ed25519,sk-ssh-ed25519@openssh.com"
        ];

        HostKeyAlgorithms = lib.concatStringsSep "," [
          "ssh-ed25519-cert-v01@openssh.com"
          "sk-ssh-ed25519-cert-v01@openssh.com"
          "ssh-ed25519,sk-ssh-ed25519@openssh.com"
        ];

        PubKeyAcceptedAlgorithms = lib.concatStringsSep "," (
          [
            "ssh-ed25519-cert-v01@openssh.com"
            "sk-ssh-ed25519-cert-v01@openssh.com"
            "ssh-ed25519,sk-ssh-ed25519@openssh.com"
          ]
          ++ (lib.optionals cfg.enableRSASupport [
            "rsa-sha2-512"
          ])
        );

        # Specifies the available KEX (Key Exchange) algorithms
        KexAlgorithms = [
          "curve25519-sha256"
          "curve25519-sha256@libssh.org"
        ];

        # Specifies the available MAC (message authentication code) algorithms
        Macs = [
          "hmac-sha2-512-etm@openssh.com"
          "hmac-sha2-256-etm@openssh.com"
        ];

        Ciphers = [
          "aes256-gcm@openssh.com"
          "aes256-ctr"
        ];
      };
    };
  };

}