{ config, ... }:

{
  age.secrets = {
    ssh_users_ca = {
      file = ../../secrets/common/ssh/users_ca.age;
      path = "/etc/ssh/users_ca.pub";
      owner = "root";
      group = "root";
      mode = "400";
    };
  };

  services.openssh = {
    enable = true;

    extraConfig = ''
      AcceptEnv LANG LC_*
      AllowAgentForwarding no
      AllowTcpForwarding yes
      AuthenticationMethods publickey
      MaxStartups 10:30:100
      PermitTTY yes
      PermitTunnel no
      PermitUserRC no
      PermitUserEnvironment no
      PrintLastLog yes
      SyslogFacility AUTH
      UsePAM no
      TCPKeepAlive yes
      TrustedUserCAKeys ${config.age.secrets.ssh_users_ca.path}
      VersionAddendum none
    '';

    settings = {
      AllowUsers = [ "root" ];
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;

      LogLevel = "VERBOSE";
      PermitRootLogin = "yes";

      Ciphers = [
        "chacha20-poly1305@openssh.com"
        "aes256-gcm@openssh.com"
        "aes128-gcm@openssh.com"
        "aes256-ctr"
        "aes192-ctr"
        "aes128-ctr"
      ];

      KexAlgorithms = [
        "curve25519-sha256@libssh.org"
        "ecdh-sha2-nistp521"
        "ecdh-sha2-nistp384"
        "ecdh-sha2-nistp256"
        "diffie-hellman-group-exchange-sha256"
      ];

      Macs = [
        "hmac-sha2-512-etm@openssh.com"
        "hmac-sha2-256-etm@openssh.com"
        "umac-128-etm@openssh.com"
        "hmac-sha2-512"
        "hmac-sha2-256"
        "umac-128@openssh.com"
      ];
    };

    sftpFlags = [
      "-f AUTHPRIV"
      "-l INFO"
    ];
  };

  users.users.root.openssh.authorizedKeys.keys = [
    "cert-authority,no-touch-required,principals=\"any,newcomer,${config.networking.fqdn}\" ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIpT7d7WeR88bs53KkNkZNOzkPJ7CQ5Ui6Wl9LXzAjjIdH+hKJieBMHrKew7+kzxGYaTqXWF1fQWsACG6aniy7VZpsdgTaNw7qr9frGfmo950V7IlU6w1HRc5c+3oVBWpg=="
  ];
}