{ den, ... }:
{
  lux.ssh = {
    homeManager =
      { config, pkgs, ... }:
      {
        programs.gpg = {
          enable = true;
          homedir = "${config.xdg.dataHome}/gnupg";
        };

        services.gpg-agent = {
          enable = true;
          enableSshSupport = true;
          enableZshIntegration = true;
          pinentry.package = pkgs.pinentry-gnome3;
          sshKeys = [
            "CD848796822630B280FC6DFA55F24A20040F22B5"
            "B8FBDFBD7F42C444C17E086E0EE2E34FB43A7187"
          ];
        };

        programs.ssh = {
          enable = true;
          enableDefaultConfig = false;
          includes = [
            "${config.sops.secrets.ssh-config-orion.path}"
          ];
        };

        sops.secrets.ssh-config-orion = { };
      };

    # Forward ssh agent to root when using sudo
    # Useful for nixos-rebuild when pulling private repos
    nixos.security.sudo.extraConfig = ''
      Defaults env_keep+=SSH_AUTH_SOCK
    '';
  };
}