{ lib, config, ... }:
let
  ssh-key = name: lib.mkIf config.l.secrets.enable config.sops.secrets."ssh-keys/${name}".path;
in
{
  programs.ssh = {
    enable = true;
    enableDefaultConfig = false;
    matchBlocks = {
      "*" = {
        forwardAgent = false;
        addKeysToAgent = "no";
        compression = true;
        serverAliveInterval = 0;
        serverAliveCountMax = 3;
        hashKnownHosts = true;
        userKnownHostsFile = "~/.ssh/known_hosts";
        controlMaster = "no";
        controlPath = "~/.ssh/master-%r@%n:%p";
        controlPersist = "no";
      };

      # keep-sorted start block=yes newline_separated=yes
      "codeberg.org" = {
        user = "git";
        hostname = "codeberg.org";
        identityFile = ssh-key "codeberg";
      };

      "github.com" = {
        user = "git";
        hostname = "github.com";
        identityFile = ssh-key "github";
      };

      "scout.team1540.org" = {
        user = "ubuntu";
        hostname = "scout.team1540.org";
        identityFile = ssh-key "scout-team1540-org";
      };

      "tangled.org" = {
        user = "git";
        hostname = "tangled.org";
        identityFile = ssh-key "tangled";
      };
      # keep-sorted end
    };
  };

  sops.secrets = lib.mkIf config.l.secrets.enable {
    # keep-sorted start block=yes
    "ssh-keys/codeberg" = { };
    "ssh-keys/codeberg-pub" = { };
    "ssh-keys/github" = { };
    "ssh-keys/github-pub" = { };
    "ssh-keys/scout-team1540-org" = { };
    "ssh-keys/scout-team1540-org-pub" = { };
    "ssh-keys/tangled" = { };
    "ssh-keys/tangled-pub" = { };
    # keep-sorted end
  };
}