{
  config,
  lib,
  ...
}: let
  cfg = config.vhack.openssh;
in {
  options.vhack.openssh = {
    enable = lib.mkEnableOption ''
      a sane openssh implementation.
    '';
  };

  config = lib.mkIf cfg.enable {
    /*
     FIXME(@bpeetz):
      This results in a boot error, as the `/var/lib/sshd` directory
      is only mounted _after_ the stage 2 init and with it the system
      activation. `agenix` needs the sshd hostkey however to decrypt the
      secrets and thus we have to ensure that this directory is mounted
      _before_ the system activation. Alas the only way I see to achieve
      that is to store the ssh hostkey directly on /srv, which is mounted
      before (it's marked as 'neededForBoot' after all).

      It should be possible to achieve this with impermanence however,
      as `/var/log` is mounted in the stage 1 init; The problem is that
      I have no idea _why_ only this is mounted and nothing else.


    vhack.persist.directories = [
      {
        directory = "/var/lib/sshd";
        user = "root";
        group = "root";
        mode = "0755";
      }
    ];
    */

    services.openssh = {
      enable = true;
      settings.PasswordAuthentication = false;
      hostKeys = [
        {
          # FIXME: Remove the dependency on `/srv` this workaround.
          # See the explanation for using `/srv` above.
          path = "/srv/var/lib/sshd/ssh_host_ed25519_key";

          rounds = 1000;
          type = "ed25519";
        }
      ];
    };
  };
}