{ lib, config, ... }:
let
  sshPort = 22;
  hasOptinPersistence = config.environment.persistence ? "/persist";

in

{
  services.openssh = {
    enable = true;
    ports = [ sshPort ];
    authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];
    hostKeys = [{
      path = "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key";
      type = "ed25519";
    }];
    settings = {
      PasswordAuthentication = false;
      PermitRootLogin = "no";
      PubKeyAuthentication = "yes";
      StreamLocalBindUnlink = "yes";
      UsePAM = true;
    };
  };
  security.pam = {
    sshAgentAuth.enable = true;
  };
  programs.ssh.extraConfig = '' 
    Host git.bitlab21.com
        IdentitiesOnly yes
        StrictHostKeyChecking no
        IdentityFile /etc/ssh/deploy_key-ssh-ed25519
  '';
  networking.firewall.allowedTCPPorts = [ sshPort ];
}