{ pkgs, ... }@all: with all; {
  programs.ssh = {
    enable = true;
    package = pkgs.openssh;
    matchBlocks = let
      nxace = name: {
        host = name;
        hostname = "ssh.${hyper.domain}";
        user = hyper.user;
        port = secrets.ssh.port;
        identityFile = "${hyper.home}/vault/ssh/nxace-nx2-${hyper.host}";
      };
    in {
      "nxace" = nxace "nxace";
      "nxacel" = (nxace "nxacel") // { hostname = "10.0.1.1"; };
      "nxrpli" = (nxace "nxrpil") // { hostname = "10.0.1.31"; port = 22; };
      "nxgit" = (nxace "nxgit") // {
        user = "git";
        identityFile = "${hyper.home}/vault/ssh/nxgit-nx2-${hyper.host}";
        # addKeysToAgent = "1h";
      };
    };
  };
  home.packages = with pkgs; [ sshfs ];

  services.gpg-agent = let 
    min2sec = min: (min * 60);
  in {
    enable = false;
    verbose = true;
    sshKeys = [
      "97081264F7FD72D890D496E839AA9A4C7892A7D8" # Keygrip (not Fingerprint!) of [A] Subkey
    ];
    enableSshSupport = true;
    enableFishIntegration = true;
    defaultCacheTtlSsh = min2sec 60;
    defaultCacheTtl = min2sec 30;
    pinentry = {
      package = pkgs.pinentry;
      program = "pinentry";
    };
    extraConfig = ''
      allow-loopback-pinentry
    '';
  };
}