{ config, pkgs, ... }:
{
  # Enable SSH server.
  services.openssh = {
    enable = true;
    ports = (
      if (config.networking.hostName == "yodaTux") || (config.networking.hostName == "yodaTab") || (config.networking.hostName == "yodaGaming")
        then [22]
      else if (config.networking.hostName == "yodaYoga")
        then [2224]
      else if (config.networking.hostName == "yodaNas")
        then [2222]
      else if (config.networking.hostName == "yodaHedgehog")
        then [2226]
      else throw "Please add ssh port here"
    );

    # Enabling this is required for commands such as sftp and sshfs.
    allowSFTP = false;

    settings = {
      # Use authorized keys only.
      PasswordAuthentication = false;

      #
      # https://infosec.mozilla.org/guidelines/openssh
      #
      Macs = ["hmac-sha2-512-etm@openssh.com"];
      Ciphers = ["chacha20-poly1305@openssh.com"];
      # TODO Use 25519 instead of RSA key pairs
      #KexAlgorithms = ["curve25519-sha256@libssh.org"];
    };

  };

  # TODO replace authorizedKeys in all .nix files with authorizedKeyFiles
  # SSH public key(s) allowed to connect via SSH.
  users.users."yoda".openssh.authorizedKeys.keys = [
    (builtins.readFile ../assets/ssh/nitrokey.pub)
  ];
  users.users."root".openssh.authorizedKeys.keys = [
    (builtins.readFile ../assets/ssh/nitrokey.pub)
  ] ++ (
    if (config.networking.hostName == "yodaNas")
    then [(builtins.readFile ../assets/ssh/hedgehog.pub)]
    else []
  );
}