{ den, ... }:
{
  lux.ssh = {
    homeManager =
      { config, ... }:
      {
        programs.ssh = {
          enable = true;
          enableDefaultConfig = false;
          includes = [
            config.sops.templates."ssh-config-orion".path
          ];
        };

        sops.secrets."orion-ip" = { };
        sops.templates."ssh-config-orion".content = ''
          Host orion
            HostName ${config.sops.placeholder."orion-ip"}
            ForwardAgent yes
        '';
      };

    nixos.security.sudo.extraConfig = ''
      Defaults env_keep+=SSH_AUTH_SOCK
    '';
  };
}