{ ... }:
{
  flake.modules.nixos."ssh-agent-auth" = {
    security.pam = {
      sshAgentAuth.enable = true;
      services.sudo.sshAgentAuth = true;
    };
  };

  flake.modules.nixos.openssh =
    {
      config,
      ...
    }:
    let
      isServer = config.meta.host.kind == "server";
      hostUserNames = builtins.attrNames config.meta.host.users;
    in
    {
      services.openssh = {
        enable = true;
        openFirewall = isServer;
        settings = {
          PermitRootLogin = "no";
          PasswordAuthentication = false;
          AllowUsers = hostUserNames;
        };
      };
    };
}