{ config, lib, ... }:
let
  account = config.repo.account;
  personalPublicKeys =
    machines:
    map (machine: machine.sshKeys.personal.publicKey) (
      lib.filter (machine: machine.sshKeys ? personal) (builtins.attrValues machines)
    );
in
{
  flake.modules.nixos.ssh-agent-auth = {
    security.pam = {
      sshAgentAuth.enable = true;
      services.sudo.sshAgentAuth = true;
    };
  };

  flake.modules.nixos.openssh =
    { ... }:
    {
      services.openssh.openFirewall = true;

      services.openssh = {
        enable = true;
        settings = {
          PermitRootLogin = "no";
          PasswordAuthentication = false;
          AllowUsers = [ account.name ];
        };
      };

      users.users.${account.name}.openssh.authorizedKeys.keys = personalPublicKeys config.repo.machines;
    };
}