{ customUtils, lib, config, hostName, ... }:
{
  services.openssh = {
    enable = true;
    knownHosts = lib.zipAttrsWith (_name: values: builtins.head values) (lib.mapAttrsToList (name: lib.mapAttrs' (type: value: lib.nameValuePair "${name}-${type}" value)) (customUtils.recImport { dir = ./known-hosts; }));

    hostKeys = [
      { path = "/etc/ssh/ssh_host_rsa_key";
        type = "rsa";
      }
      { path = "/etc/ssh/ssh_host_ed25519_key";
        type = "ed25519";
      }
    ];
  };

  sops.secrets = {
    ssh_host_rsa_key = {
        key = "rsa";
        path = "/etc/ssh/ssh_host_rsa_key";
        sopsFile = ./host-keys + "/${hostName}.yaml";
    };
    ssh_host_ed25519_key = {
        key = "ed25519";
        path = "/etc/ssh/ssh_host_ed25519_key";
        sopsFile = ./host-keys + "/${hostName}.yaml";
    };
  };

  environment.etc = {
    "ssh/ssh_host_rsa_key.pub".text = config.services.openssh.knownHosts."${hostName}-rsa".publicKey;
    "ssh/ssh_host_ed25519_key.pub".text = config.services.openssh.knownHosts."${hostName}-ed25519".publicKey;
  };

  systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager
}