{
  config,
  lib,
  fn,
  ...
}:
# For reference:
# https://infosec.mozilla.org/guidelines/openssh.html
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
with lib;
mkIf (elem "openssh" config.machine.services) {
  services.openssh = {
    enable = true;
    settings.KexAlgorithms = [ "curve25519-sha256@libssh.org" ];
    sftpFlags = [
      "-f AUTHPRIV"
      "-l INFO"
    ];
    startWhenNeeded = false;
    settings = {
      KbdInteractiveAuthentication = false;
      PasswordAuthentication = false;
      PermitRootLogin = "no";
    };
    extraConfig =
      let
        users =
          concatMapStrings (user: "${user.name} ") config.machine.administrators
          + (optionalString config.services.forgejo.enable (config.services.forgejo.user + " "));
      in
      ''
        UsePAM no
        AllowUsers ${users}
        LogLevel VERBOSE
      '';
  };
  # Add public keys to /etc/ssh/authorized_keys.d
  # This replaces users.users.*.openssh.authorizedKeys.*
  sops.secrets =
    fn.sopsHelper (user: "users/${user.name}/publicKey") config.machine.administrators
      (user: {
        path = "/etc/ssh/authorized_keys.d/${user.name}";
        mode = "444";
      });
}