{ config, pkgs, lib, ... }:

let
  inherit (lib) concatStringsSep;

  mkDefault = lib.mkOverride ((lib.mkDefault null).priority - 1);

  # SSL added and removed here ;-)
  bannedAlgorithms = [
    "ecdsa-sha2-nistp256-cert-v01@openssh.com"
    "ecdsa-sha2-nistp384-cert-v01@openssh.com"
    "ecdsa-sha2-nistp521-cert-v01@openssh.com"
    "ecdsa-sha2-nistp256"
    "ecdsa-sha2-nistp384"
    "ecdsa-sha2-nistp521"
  ];
in

{
  networking.hosts."195.201.206.173" = [ "uhura.edef.eu" "uhura" ];
  networking.hosts."2a01:4f8:13a:2492::" = [ "uhura.edef.eu" "uhura" ];

  programs.mosh.enable = mkDefault config.services.openssh.enable;

  programs.ssh.extraConfig = ''
    CASignatureAlgorithms -${concatStringsSep "," bannedAlgorithms}
    HostKeyAlgorithms -${concatStringsSep "," bannedAlgorithms}
    VerifyHostKeyDNS ask

    Host uhura spock
      HostName %h.edef.eu

    Host hyperion
      HostName %h.kookie.space

    Host atuin
      HostName %h.qyliss.net

    Host codeberg
      HostName %h.org

    Host github gitlab
      HostName %h.com

    Host gitlab.fd.o
      HostName gitlab.freedesktop.org

    Host invent
      HostName %h.kde.org

    Host cl.tvl
      HostName %h.fyi
      Port 29418

    Host salsa
      HostName %h.debian.org

    Host whitby
      HostName %h.tvl.fyi

    Match host gitlab.freedesktop.org,salsa.debian.org
      VerifyHostKeyDNS yes

    Match host codeberg.org,github.com,gitlab.*,invent.kde.org,salsa.debian.org
      User git
  '';

  services.openssh.authorizedKeysFiles = [ "${./keys}/%u.keys" ];
  services.openssh.settings.StrictModes = false;

  users.users.root.openssh.authorizedKeys.keyFiles = [ ./keys/qyliss.keys ];

  programs.ssh.knownHostsFiles = [
    ./keys/atuin.keys
    ./keys/cl.tvl.keys
    ./keys/codeberg.keys
    ./keys/edef.keys
    ./keys/github.keys
    ./keys/gitlab.fd.o.keys
    ./keys/gitlab.gnome.org.keys
    ./keys/gitlab.keys
    ./keys/hyperion.keys
    ./keys/invent.keys
    ./keys/salsa.keys
    ./keys/whitby.keys
  ];
}