{inputs, ... }:
let
  userName = "john";
in
{
  flake.homeModules.ssh = { pkgs, config, lib, ... }:
  {
    options.ssh = {
      IdentityFile = lib.mkOption {
        # Intentionally not using a path type here because that will end up with the private key getting copied into the store
        type = lib.types.str;
        default = "${config.home.homeDirectory}/.ssh/id_ed25519";
        description = "Path to the SSH identity file.";
      };

      matchSets = {
        appdaemon = lib.mkEnableOption "Enable AppDaemon SSH targets";
        certs = lib.mkEnableOption "Enable Janus and Soteria SSH targets";
        homelab = lib.mkEnableOption "Enable various Homelab targets";
      };
    };

    # All this stuff has to be wrapped in a config attribute because of the presence of the options here?
    config = let
      identityFile = config.ssh.IdentityFile;
      publicKeyFile = "${identityFile}.pub";
      certificateFile = "${identityFile}-cert.pub";
      userKnownHostsFile = "${config.home.homeDirectory}/.ssh/known_hosts";
    in {
      home.packages = [
        (pkgs.writeShellScriptBin "sign-ssh-cert" ''
          echo "Signing ${publicKeyFile}"
          echo "Copy the Step-CA JWK Provisioner password from 1password"
          step ssh certificate --sign \
          --principal root --principal ${userName} \
          --provisioner admin \
          ${userName} ${publicKeyFile}
        '')
      ];

      programs.ssh = {
        enable = true;
        enableDefaultConfig = false;
        extraConfig = ''
          SetEnv TERM="xterm-256color"
          IdentityAgent ~/.1password/agent.sock
        '';

        matchBlocks = lib.mkMerge [
          {
            "*" = {
              user = "john";

              compression = false;
              serverAliveInterval = 0;
              serverAliveCountMax = 3;

              identitiesOnly = true;
              inherit identityFile certificateFile;

              hashKnownHosts = false;
              userKnownHostsFile = "${userKnownHostsFile}";

              addKeysToAgent = "yes";
              forwardAgent = false;
            };
          }
          (lib.mkIf config.ssh.matchSets.appdaemon {
            "appdaemon" = {
              hostname = "192.168.1.242";
            };
            "ad-nix" = {
              hostname = "192.168.1.201";
              user = "appdaemon";
            };
          })
          (lib.mkIf config.ssh.matchSets.certs {
            "janus" = {
              hostname = "janus.john-stream.com";
              user = "root";
            };
            "soteria" = {
              hostname = "soteria.john-stream.com";
              user = "john";
            };
          })
          (lib.mkIf config.ssh.matchSets.homelab {
            "docs" = {
              hostname = "192.168.1.110";
              user = "root";
            };
            "gitea" = {
              hostname = "192.168.1.104";
              user = "john";
            };
            "hermes" = {
              hostname = "192.168.1.150";
              user = "root";
            };
            "panoptes" = {
              hostname = "192.168.1.107";
              user = "panoptes";
            };
          })
        ];
      };
    };
  };
}