{ lib, pkgs, config, ...}: let
  inherit (lib) elemAt splitString mapAttrs' hasAttr mkIf mkEnableOption mkOption;
  cfg = config.chuj.stuff.ssh;
  user = config.chuj.system.user;
in {
  options.chuj.stuff.ssh = {
    enable = mkEnableOption "ssh";
    keys = mkOption {
      type = lib.types.attrs;
      default = {};
    };
    authKeys = mkOption {
      type = lib.types.listOf lib.types.str;
      default = [];
    };
  };
  config = mkIf cfg.enable  {
    services.openssh = {
      enable = true;
      settings.PasswordAuthentication = false;
    };

    users.users.${user}.openssh.authorizedKeys.keys = cfg.authKeys;

    home-manager.users.${user}.programs.ssh = {
      enable = true;
      matchBlocks = mapAttrs'
        (host: hostcfg: {
          name = elemAt (splitString "@" host) 1;
          value = {
            user = elemAt (splitString "@" host) 0;

            identityFile = "~/.ssh/keys/${hostcfg.file}";

            setEnv = if hasAttr "env" hostcfg
              then hostcfg.env
              else {};
          };
        }) cfg.keys;
    };
  };
}