{ pkgs, ... }@all: with all; {
  home.packages = with pkgs; [ sshfs ];
  programs.ssh = {
    enable = true;
    package = pkgs.openssh;
    enableDefaultConfig = false;
    matchBlocks = let
      default = {
        addKeysToAgent = "yes";
        forwardAgent = false;
        compression = false;
        serverAliveInterval = 0;
        serverAliveCountMax = 3;
        hashKnownHosts = false;
        userKnownHostsFile = "~/.ssh/known_hosts";
        controlMaster = "no";
        controlPath = "~/.ssh/master-%r@%n:%p";
        controlPersist = "no";
      };
      nxace = name: default // {
        host = name;
        hostname = "ssh.${hyper.domain}";
        user = "nx2";
        port = 50022;
        identityFile = [ "${hyper.home}/vault/ssh/nxace-nx2-${hyper.host}" ];
      };
    in {
      "*" = default;
      "ssh.nx2.site" = default // { identityFile = [
        "${hyper.home}/vault/ssh/nxgit-nx2-${hyper.host}"
        "${hyper.home}/vault/ssh/nxace-nx2-${hyper.host}"
      ]; };
      "tg.dm.informatik.tu-darmstadt.de" = default // { identityFile = [ "${hyper.home}/vault/ssh/tg-dm-informatik-tuda"           ]; };
      "git.da.dicos.de"                  = default // { identityFile = [ "${hyper.home}/vault/ssh/dcsgit-lkurzweg-${hyper.host}"   ]; };
      "github.com"                       = default // { identityFile = [ "${hyper.home}/vault/ssh/github-noggynoggy-${hyper.host}" ]; };
      "nxace"                            = (nxace "nxace" );
      "nxacel"                           = (nxace "nxacel") // { hostname = "10.0.1.1"; };
      "nxrpli"                           = (nxace "nxrpil") // { hostname = "10.0.1.31"; port = 22; };
      "nx2s-email-relay" = default // {
        identityFile = "${hyper.home}/vault/ssh/nx2s-email-relay";
        host = "35.243.218.208";
        port = 22;
        user = secrets.ssh.nx2s-email-relay-user;
      };
    };
  };
  services.ssh-agent = {
    enable = true;
    # socket = "ssh-agent"; # suffix to $XDG_RUNTIME_DIR
    # package = pkgs.openssh;
  };
}