{
  config,
  lib,
  ...
}: let
  cfg = config.vhack.openssh;
in {
  options.vhack.openssh = {
    enable = lib.mkEnableOption ''
      a sane openssh implementation.
    '';
  };

  config = lib.mkIf cfg.enable {
    services.openssh = {
      enable = true;
      settings.PasswordAuthentication = false;
      hostKeys = [
        {
          # See the explanation for this in /system/impermanence/mods/openssh.nix
          # path = "/var/lib/sshd/ssh_host_ed25519_key";

          # FIXME: Remove this workaround
          path = "/srv/var/lib/sshd/ssh_host_ed25519_key";
          rounds = 1000;
          type = "ed25519";
        }
      ];
    };
  };
}