{ host, secrets, ... }:

{
  environment.etc."ssh/ssh_host_ed25519_key.pub".text = if (host == "NxNORTH") then
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF1r5gUQPPS/dGB0SsvWtP6WdNWoxMwhhHRrqlO19cJt root@NxNORTH"
    else if ( host == "NxXPS") then
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPf+08+t8a0lY2+nR1mhIU3vuksStiJOlojJjzCwFk7r root@NxXPS"
    else 
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFfZpWVPlujsz3FklSVAM+tuYn4pzDSijhp5CeYNOZk root@NxACE";
  sops.secrets."ssh/${host}-ssh_host_ed25519_key" = {
    mode = "0600";
    path = "/etc/ssh/ssh_host_ed25519_key.shadow";
  };
  services.openssh = {
    enable = true;
    ports = secrets.ssh.ports;
    settings = {
      PasswordAuthentication = false;
    };
  };
}