{ config, pkgs, lib, ... }:

let
  inherit (lib) concatStringsSep;

  mkDefault = lib.mkOverride ((lib.mkDefault null).priority - 1);

  # SSL added and removed here ;-)
  bannedAlgorithms = [
    "ecdsa-sha2-nistp256-cert-v01@openssh.com"
    "ecdsa-sha2-nistp384-cert-v01@openssh.com"
    "ecdsa-sha2-nistp521-cert-v01@openssh.com"
    "ecdsa-sha2-nistp256"
    "ecdsa-sha2-nistp384"
    "ecdsa-sha2-nistp521"
  ];
in

{
  programs.mosh.enable = mkDefault config.services.openssh.enable;

  programs.ssh.extraConfig = ''
    CASignatureAlgorithms -${concatStringsSep "," bannedAlgorithms}
    HostKeyAlgorithms -${concatStringsSep "," bannedAlgorithms}
    VerifyHostKeyDNS=ask

    Host uhura spock
      HostName %h.edef.eu

    Host hyperion
      HostName %h.kookie.space

    Host atuin
      HostName %h.qyliss.net

    Host github gitlab
      HostName %h.com

    Host cl.tvl
      HostName %h.fyi
      Port 29418

    Host slide-rule relay01
      HostName relay01.nixcon.net

    Host abacus dash01
      HostName dash01.nixcon.net

    Match host gitlab.freedesktop.org
      VerifyHostKeyDNS=yes

    Match host github.com,gitlab.com,gitlab.freedesktop.org
      User git
  '';

  services.openssh.authorizedKeysFiles = [ "${./keys}/%u.keys" ];
  services.openssh.strictModes = false;

  users.users.root.openssh.authorizedKeys.keyFiles = [ ./keys/qyliss.keys ];

  programs.ssh.knownHosts = {
    "github.com" = {
      publicKeyFile = ./keys/github.keys;
    };

    "gitlab.com" = {
      publicKeyFile = ./keys/gitlab.keys;
    };

    "edef" = {
      certAuthority = true;
      hostNames = [ "edef.eu" "*.edef.eu" ];
      publicKeyFile = ./keys/edef.keys;
    };

    "cl.tvl" = {
      hostNames = [ "cl.tvl.fyi" ];
      publicKeyFile = ./keys/cl.tvl.keys;
    };
  };
}