{ lib, config, ... }:
let
  cfg = config.py.programs.ssh;
in
{
  options.py.programs.ssh.enable = lib.mkEnableOption "ssh";
  config = lib.mkIf cfg.enable {
    programs.ssh = {
      enable = true;
      compression = true;
      matchBlocks = {
        "marvin" = {
          hostname = "100.123.15.72";
          user = "thehedgehog";
          port = 22;
          extraOptions = {
            "IdentitiesOnly" = "no";
            "PreferredAuthentications" = "publickey";
          };
        };
        "prefect" = {
          hostname = "100.93.63.54";
          user = "thehedgehog";
          port = 22;
          extraOptions = {
            "IdentitiesOnly" = "no";
            "PreferredAuthentications" = "publickey";
          };
        };
        "botw" = {
          hostname = "bandit.labs.overthewire.org";
          port = 2220;
          sendEnv = [
            "WECHALLUSER"
            "WECHALLTOKEN"
          ];
        };
      };
      extraOptionOverrides = {
        "Match" = ''host * exec "gpg-connect-agent UPDATESTARTUPTTY /bye"'';
      };
    };
    home.file.".ssh/authorized_signatures".text = import ./ssh-auth-signers.nix;
  };
}