{
  lib,
  pkgs,
  ...
}: {
  age.identityPaths = ["/etc/ssh/ssh_host_ed25519_key"];

  services.openssh = {
    enable = true;
    openFirewall = true;
    hostKeys = [
      {
        path = "/etc/ssh/ssh_host_ed25519_key";
        type = "ed25519";
      }
    ];
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
    };
  };

  programs.ssh = {
    startAgent = true;
    enableAskPassword = true;
    askPassword = lib.getExe' pkgs.ksshaskpass "ksshaskpass";
  };

  environment.etc."ssh/ssh_config".text = lib.mkAfter ''
    Compression yes
    ServerAliveInterval 60
  '';
}