{ config, pkgs, lib, ... }:

let
  inherit (lib) concatStringsSep;

  mkDefault = lib.mkOverride ((lib.mkDefault null).priority - 1);

  # SSL added and removed here ;-)
  bannedAlgorithms = [
    "ecdsa-sha2-nistp256-cert-v01@openssh.com"
    "ecdsa-sha2-nistp384-cert-v01@openssh.com"
    "ecdsa-sha2-nistp521-cert-v01@openssh.com"
    "ecdsa-sha2-nistp256"
    "ecdsa-sha2-nistp384"
    "ecdsa-sha2-nistp521"
  ];
in

{
  programs.mosh.enable = mkDefault config.services.openssh.enable;

  programs.ssh.extraConfig = ''
    CASignatureAlgorithms -${concatStringsSep "," bannedAlgorithms}
    HostKeyAlgorithms -${concatStringsSep "," bannedAlgorithms}
    VerifyHostKeyDNS ask

    Host spock
      HostName %h.edef.eu

    Host hyperion
      HostName %h.kookie.space

    Host atuin
      HostName %h.qyliss.net

    Host codeberg
      HostName %h.org

    Host github gitlab
      HostName %h.com

    Host gitlab.fd.o
      HostName gitlab.freedesktop.org

    Host invent
      HostName %h.kde.org

    Host cl.tvl
      HostName %h.fyi
      Port 29418

    Host salsa
      HostName %h.debian.org

    Host whitby
      HostName %h.tvl.fyi

    Match host gitlab.freedesktop.org,salsa.debian.org
      VerifyHostKeyDNS yes

    Match host codeberg.org,github.com,gitlab.*,invent.kde.org,salsa.debian.org
      User git
  '';

  services.openssh.enable = true;
  services.openssh.authorizedKeysFiles = [ "${./keys}/%u.keys" ];
  services.openssh.settings.PasswordAuthentication = false;
  services.openssh.settings.StrictModes = false;

  users.users.root.openssh.authorizedKeys.keyFiles = [ ./keys/qyliss.keys ];

  programs.ssh.knownHostsFiles = [
    ./keys/aarch64.nixos.community.keys
    ./keys/atuin.keys
    ./keys/cl.tvl.keys
    ./keys/codeberg.keys
    ./keys/edef.keys
    ./keys/github.keys
    ./keys/gitlab.fd.o.keys
    ./keys/gitlab.gnome.org.keys
    ./keys/gitlab.keys
    ./keys/hyperion.keys
    ./keys/invent.keys
    ./keys/salsa.keys
    ./keys/whitby.keys
  ];
}