{ config, factsGenerator, ... }:
{

  # Defines the root SSH key to be used exclusively for accessing the backup server.
  # The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
  # make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
  # If the target machine becomes compromised by an attacker,
  # they could potentially leverage the forwarded SSH agent to access the backup server.
  # This file prevents that scenario by restricting access strictly to the defined SSH key,
  # which is only used to access the backup server, so no other ssh-agent will contain this ssh key

  clan.core.facts.services."mainUser.ssh.chungus" = factsGenerator.ssh { name = "root.chungus"; };

  systemd.tmpfiles.settings.mainUser = {
    "/run/facts/ssh.mainUser.chungus.id_ed25519"."C+" = {
      user = config.users.users.mainUser.name;
      group = config.users.users.mainUser.group;
      mode = "400";
      argument =
        config.clan.core.facts.services."mainUser.ssh.chungus".secret."ssh.root.chungus.id_ed25519".path;
    };
  };

  home-manager.users.mainUser.programs.ssh.matchBlocks = {
    "chungus.bear" = {
      identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
      identitiesOnly = true;
    };
    "chungus.private" = {
      identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
      identitiesOnly = true;
    };
    "chungus.wg0" = {
      identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
      identitiesOnly = true;
    };
  };

}