# nixos-config - My current NixOS configuration
#
# Copyright (C) 2025 Benedikt Peetz <benedikt.peetz@b-peetz.de>
# SPDX-License-Identifier: GPL-3.0-or-later
#
# This file is part of my nixos-config.
#
# You should have received a copy of the License along with this program.
# If not, see <https://www.gnu.org/licenses/gpl-3.0.txt>.
{
  config,
  lib,
  pkgs,
  ...
}: let
  cfg = config.soispha.programs.ssh;

  mkDefaultMatchBlock = UserKnownHostsFile: {
    AddKeysToAgent = "no";
    Compression = true;
    ControlMaster = "no";
    ControlPersist = "no";
    ForwardAgent = false;
    HashKnownHosts = false;
    ServerAliveCountMax = 3;
    ServerAliveInterval = 240;
    inherit UserKnownHostsFile;
  };
in {
  options.soispha.programs.ssh = {
    enable = lib.mkEnableOption "ssh config";
    rootKnownHosts = lib.mkOption {
      type = lib.types.attrsOf lib.types.str;
      description = ''
        An attrset of keys (the domain) and values (the host key.)
        These are only applied to the root user.
      '';
      default = {};
      apply = value:
        builtins.concatStringsSep "\n"
        (lib.attrsets.mapAttrsToList (hostName: hostKey: "${hostName} ${hostKey}") value);
    };
  };

  config = lib.mkIf cfg.enable {
    home-manager.users = {
      root.programs.ssh = {
        enable = true;
        enableDefaultConfig = false;

        settings = {
          "Host *" = mkDefaultMatchBlock (
            builtins.toString (pkgs.writeTextFile {
              name = "root-known-hosts";
              text = cfg.rootKnownHosts;
            })
          );
        };
      };

      soispha.programs.ssh = {
        enable = true;
        enableDefaultConfig = false;

        settings = {
          "Host *" = mkDefaultMatchBlock "${config.home-manager.users.soispha.xdg.dataHome}/ssh/known_hosts";
        };
      };
    };
  };
}