{ config
, lib
, ...
}:
with lib; let
  cfg = config.eboskma.programs.ssh;
  var = config.eboskma.var;
  personalKey = "~/.ssh/id_ed25519_sk_personal.pub";
  horusKey = "~/.ssh/id_ed25519_sk_horus.pub";
in
{
  options.eboskma.programs.ssh = { enable = mkEnableOption "activate ssh"; };

  config = mkIf cfg.enable {
    programs.ssh = {
      enable = true;
      hashKnownHosts = true;
      controlPath = "~/.ssh/master-%r@%n:%p";
      matchBlocks = {
        "*" = {
          identityFile = if var.workSystem then horusKey else personalKey;
          identitiesOnly = true;
          extraOptions = {
            Ciphers = "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr";
            KexAlgorithms = "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256";
            MACs = "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com";
            HostKeyAlgorithms = "ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com";
            SetEnv = "TERM=xterm-256color";
          };
        };
        home = mkIf (!var.workSystem) {
          host = "home";
          hostname = "10.0.0.2";
          extraOptions = {
            ControlMaster = "auto";
            ControlPersist = "5m";
          };
        };

        horus = mkIf (!var.workSystem) {
          host = "horus";
          hostname = "10.1.0.2";
          proxyJump = "home";
          extraOptions = {
            ControlMaster = "auto";
            ControlPersist = "5m";
          };
        };

        "rsync.net" = mkIf (!var.workSystem) {
          hostname = "zh2088.rsync.net";
          user = "zh2088";
          identityFile = "~/.ssh/id_ed25519-rsync.net";
        };

        "git.datarift.nl" = {
          # hostname = "gitea.barn-beaver.ts.net";
          # port = 2222;
          hostname = "10.0.0.203";
          identityFile = personalKey;
        };

        hass =
          {
            hostname = "10.0.0.254";
            user = "root";
            identityFile = "~/.ssh/id_ed25519";
          };

        horus-vpn = {
          hostname = "192.168.4.202";
          identityFile = horusKey;
          forwardAgent = true;
        };

        "repohost.bedum.horus.nu" = {
          forwardAgent = true;
          extraOptions = {
            ControlMaster = "auto";
            ControlPersist = "10m";
          };
        };

        "gitea.bedum.horus.nu" = {
          forwardAgent = true;
        };

        monitoring = {
          hostname = "monitoring.internal.horus.nu";
          identityFile = horusKey;
        };

        buildserver2 = {
          hostname = "buildserver2.bedum.horus.nu";
          user = "horus";
          identityFile = horusKey;
        };
      };
    };
  };
}