{ config, pkgs, ... }:

{
  # Enable SSH server.
  services.openssh = {
    enable = true;
    # Forbid root login through SSH.
    settings.PermitRootLogin = "no";
    # Use authorized keys only.
    settings.PasswordAuthentication = false;
  };

  # Use NitroKey USB smartcard with SSH.
  # https://nixos.wiki/wiki/Nitrokey
  #
  # Restart gpg-agent after config change.
  # Otherwise there might be a gpg error about "no pinentry".
  # https://discourse.nixos.org/t/cant-get-gnupg-to-work-no-pinentry/15373/19
  #
  # Not sure if this is needed: Reload udev rules.
  # sudo -- udevadm control --reload-rules && udevadm trigger
  #
  services.udev.packages = [ pkgs.nitrokey-udev-rules ];
  programs = {
    ssh.startAgent = false;
    gnupg.agent = {
      enable = true;
      # ... Also sets SSH_AUTH_SOCK environment variable correctly.
      enableSSHSupport = true;
    };
  };
  # Smartcard daemon.
  services.pcscd.enable = true;
}