{
  config,
  lib,
  ...
}:
let
  inherit (lib) types;
  cfg = config.common.services.openssh;

in
{

  options.common.services.openssh = {
    enable = lib.mkEnableOption "openssh server";
    enableRSASupport = lib.mkEnableOption "rsa support";
    port = lib.mkOption {
      type = types.port;
      default = 22;
    };
  };

  config = lib.mkIf cfg.enable {
    users.groups = {
      ssh = {
        gid = 200;
      };
      sftp = {
        gid = 201;
      };
    };

    # this is required because the secrets need to be decryped before the users get created
    # but the impermanence bind-mounts get created _after_ the user creation...
    sops.age.sshKeyPaths = [
      (
        if config.common.configure.persist.system.enable then
          "/persist/system/var/lib/sshd/ssh_host_ed25519_key"
        else
          "/var/lib/sshd/ssh_host_ed25519_key"
      )
    ];

    common.configure.persist.system.dirs = [ "/var/lib/sshd" ];

    services.openssh = {
      enable = true;

      # Use socket activation via systemd
      startWhenNeeded = true;

      # Hostkeys
      hostKeys = [
        {
          type = "ed25519";
          path = "/persist/system/var/lib/sshd/ssh_host_ed25519_key";
        }
      ];

      ports = [ cfg.port ];

      # TODO: Find out why the heck this kills my gpg-agent
      # extraConfig = "HostCertificate /run/secrets/hostcert";

      settings = {

        # Disable password authentication to enforce pubkey authentication
        PasswordAuthentication = false;

        # Disable keyboardinteractive authentication
        KbdInteractiveAuthentication = false;

        X11Forwarding = false;

        # Only allow users of the ssh and sftp groups to connect
        AllowGroups = [
          "sftp"
          "ssh"
        ];

        CASignatureAlgorithms = lib.concatStringsSep "," [
          "ssh-ed25519"
          "sk-ssh-ed25519@openssh.com"
        ];

        HostBasedAcceptedAlgorithms = lib.concatStringsSep "," [
          "ssh-ed25519-cert-v01@openssh.com"
          "sk-ssh-ed25519-cert-v01@openssh.com"
          "ssh-ed25519"
          "sk-ssh-ed25519@openssh.com"
        ];

        HostKeyAlgorithms = lib.concatStringsSep "," [
          "ssh-ed25519-cert-v01@openssh.com"
          "sk-ssh-ed25519-cert-v01@openssh.com"
          "ssh-ed25519"
          "sk-ssh-ed25519@openssh.com"
        ];

        PubKeyAcceptedAlgorithms = lib.concatStringsSep "," (
          [
            "ssh-ed25519-cert-v01@openssh.com"
            "sk-ssh-ed25519-cert-v01@openssh.com"
            "ssh-ed25519"
            "sk-ssh-ed25519@openssh.com"
          ]
          ++ (lib.optionals cfg.enableRSASupport [ "rsa-sha2-512" ])
        );

        # Specifies the available KEX (Key Exchange) algorithms
        KexAlgorithms = [
          "mlkem768x25519-sha256"
          "sntrup761x25519-sha512"
          "sntrup761x25519-sha512@openssh.com"
          "curve25519-sha256"
          "curve25519-sha256@libssh.org"
        ];

        # Specifies the available MAC (message authentication code) algorithms
        Macs = [
          "hmac-sha2-512-etm@openssh.com"
          "hmac-sha2-256-etm@openssh.com"
        ];

        Ciphers = [
          "chacha20-poly1305@openssh.com"
          "aes256-gcm@openssh.com"
          "aes256-ctr"
        ];
      };
    };
  };

}