diff --git a/home-modules/ssh.nix b/home-modules/ssh.nix
index dbe1c8a..8f8407a 100644
--- a/home-modules/ssh.nix
+++ b/home-modules/ssh.nix
@@ -1,50 +1,47 @@
-{ pkgs, ... }@all: with all;
-{
-  home = {
-    packages = with pkgs; [ sshfs ];
-    file."vault/ssh/config".text = /* ssh */ ''
-      HOST nxace
-          HostName ssh.${hyper.domain}
-          User ${hyper.user}
-          Port 50022
-          IdentityFile ~/vault/ssh/nxace-nx2-${hyper.host}
+{ pkgs, ... }@all: with all; {
+  programs.ssh = {
+    enable = true;
+    package = pkgs.openssh;
+    matchBlocks = let
+      nxace = name: {
+        host = name;
+        hostname = "ssh.${hyper.domain}";
+        user = hyper.user;
+        port = secrets.ssh.port;
+        identityFile = "${hyper.home}/vault/ssh/nxace-nx2-${hyper.host}";
+      };
+    in {
+      "nxace" = nxace "nxace";
+      "nxacel" = (nxace "nxacel") // { hostname = "10.0.1.1"; };
+      "nxrpli" = (nxace "nxrpil") // { hostname = "10.0.1.31"; port = 22; };
+      "nxgit" = (nxace "nxgit") // {
+        user = "git";
+        identityFile = builtins.trace config.programs.ssh.matchBlocks.nxgit
+        "${hyper.home}/vault/ssh/nxgit-nx2-${hyper.host}";
+        # addKeysToAgent = "1h";
+      };
+    };
+  };
+  home.packages = with pkgs; [ sshfs ];
 
-      HOST nxacel
-          HostName 10.0.1.1
-          User ${hyper.user}
-          Port 50022
-          IdentityFile ~/vault/ssh/nxace-nx2-${hyper.host}
-
-      HOST nxrpil
-          HostName 10.0.1.31
-          User ${hyper.user}
-          Port 22
-      
-      HOST nxgit
-          HostName ssh.${hyper.domain}
-          User git
-          Port 50022
-          IdentityFile ~/vault/ssh/nxgit-nx2-${hyper.host}
+  services.gpg-agent = let 
+    min2sec = min: (min * 60);
+  in {
+    enable = false;
+    verbose = true;
+    sshKeys = [
+      "97081264F7FD72D890D496E839AA9A4C7892A7D8" # Keygrip (not Fingerprint!) of [A] Subkey
+    ];
+    enableSshSupport = true;
+    enableFishIntegration = true;
+    defaultCacheTtlSsh = min2sec 60;
+    defaultCacheTtl = min2sec 30;
+    pinentry = {
+      package = pkgs.pinentry;
+      program = "pinentry";
+    };
+    extraConfig = ''
+      allow-loopback-pinentry
     '';
   };
-  # services.gpg-agent = let 
-  #   min2sec = min: (min * 60); 
-  # in {
-  #   enable = true;
-  #   verbose = true;
-  #   sshKeys = [
-  #     "97081264F7FD72D890D496E839AA9A4C7892A7D8" # Keygrip (not Fingerprint!) of [A] Subkey
-  #   ];
-  #   enableSshSupport = true;
-  #   enableFishIntegration = true;
-  #   defaultCacheTtlSsh = min2sec 60;
-  #   defaultCacheTtl = min2sec 30;
-  #   pinentry = {
-  #     package = pkgs.pinentry;
-  #     program = "pinentry";
-  #   };
-  #   extraConfig = ''
-  #     allow-loopback-pinentry
-  #   '';
-  # };
 }