{
  config,
  lib,
  fn,
  ...
}:
# For reference:
# https://infosec.mozilla.org/guidelines/openssh.html
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
with lib;
  mkIf (elem "openssh" config.machine.services) {
    services.openssh = {
      enable = true;
      settings.KexAlgorithms = ["curve25519-sha256@libssh.org"];
      sftpFlags = ["-f AUTHPRIV" "-l INFO"];
      startWhenNeeded = false;
      settings = {
        KbdInteractiveAuthentication = false;
        PasswordAuthentication = false;
        PermitRootLogin = "no";
      };
      extraConfig = let
        users =
          concatMapStrings (user: "${user.name} ") config.machine.administrators
          + (optionalString config.services.gitea.enable (config.services.gitea.user + " "));
      in ''
        UsePAM no
        AllowUsers ${users}
        LogLevel VERBOSE
      '';
    };
    # Add public keys to /etc/ssh/authorized_keys.d
    # This replaces users.users.*.openssh.authorizedKeys.*
    sops.secrets =
      fn.sopsHelper
      (user: "users/${user.name}/publicKey")
      config.machine.administrators
      (user: {
        path = "/etc/ssh/authorized_keys.d/${user.name}";
        mode = "444";
      });
  }