{
  config,
  factsGenerator,
  lib,
  ...
}:
let
  hostname = "cherry";
in
{

  # Defines the root SSH key to be used exclusively for accessing a secure machine.
  # The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
  # make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
  # If the target machine becomes compromised by an attacker,
  # they could potentially leverage the forwarded SSH agent to access the secure machine.
  # This file prevents that scenario by restricting access strictly to the defined SSH key,
  # which is only used to access the secure machine, so no other ssh-agent will contain this ssh key

  clan.core.facts.services."ssh.root.${hostname}" = factsGenerator.ssh {
    name = "root.${hostname}";
  };

  systemd.tmpfiles.settings.mainUser = {
    "/run/facts/ssh.root.${hostname}.id_ed25519"."C+" = {
      user = config.users.users.mainUser.name;
      group = config.users.users.mainUser.group;
      mode = "400";
      argument =
        config.clan.core.facts.services."ssh.root.${hostname}".secret."ssh.root.${hostname}.id_ed25519".path;
    };
  };

  home-manager.users.mainUser.programs.ssh.matchBlocks =
    lib.genAttrs
      [
        "${hostname}.bear"
        "${hostname}.private"
        "${hostname}.wg0"
      ]
      (name: {
        identityFile = "/run/facts/ssh.root.${hostname}.id_ed25519";
        identitiesOnly = true;
      });

}