{ pkgs, config, lib, ... }:
with lib;
with types;
let
  defaultRootKeyFiles = [ (toString ../../../assets/ssh/palo_rsa.pub) ];
  cfg = config.components.network.sshd;
in
{

  imports = [
    ./known-hosts-bootup.nix
    ./known-hosts-private.nix
    ./known-hosts-public.nix
  ];

  options.components.network.sshd = {
    enable = mkOption {
      type = bool;
      default = true;
    };
    rootKeyFiles = mkOption {
      type = with types; listOf path;
      default = [ ];
      description = "keys to root login";
    };
    onlyTincAccess = mkOption {
      type = bool;
      default = false;
      description = ''
        make sure ssh is only available trough the tinc
      '';
    };
  };

  config = mkMerge [

    (mkIf cfg.enable {

      environment.systemPackages = [ pkgs.sshfs ];

      services.openssh = {
        enable = true;
        settings.X11Forwarding = false;
        settings.PasswordAuthentication = false;
      };

      users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles;

      services.openssh.extraConfig = ''
        Banner /etc/ssh/banner-line
      '';

      environment.etc."ssh/banner-line".text =
        let
          text = config.networking.hostName;
          size = 80 - (lib.stringLength text);
          space = lib.fixedWidthString size " " "";
        in
        ''
          ────────────────────────────────────────────────────────────────────────────────
          ${space}${text}
        '';

    })

    (mkIf (cfg.onlyTincAccess && cfg.enable) {
      networking.firewall.extraCommands = ''
        iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
      '';
    })
  ];

}