{ pkgs, lib, config, ... }:

with lib;

{
  programs.ssh = {
    package = pkgs.openssh.overrideAttrs (final: prev: {
      patches = prev.patches ++ [
        ../../patches/openssh-keysign-check-remove.patch
      ];
    });

    extraConfig = ''
      EnableSSHKeysign yes

      Host node-*.${config.networking.domain}
        HostbasedAuthentication yes
    '';
  };

  security.wrappers."ssh-keysign" = {
    source = "${pkgs.openssh}/libexec/ssh-keysign";
    setuid = true;
    owner = "root";
    group = "root";
  };
}