{ lib, nodes, ... }:

with lib;

{
  services.openssh = {
    enable = true;
    settings.PermitRootLogin = "without-password";
  };

  programs.ssh = {
    # Add know-host entries for all machines in the cluster
    knownHosts = mapAttrs
      (name: node: {
        hostNames = [
          node.config.networking.hostName
          node.config.networking.fqdn
        ];
        publicKeyFile = node.config.gather.parts."ssh/hostKey".path;
      })
      nodes;
  };

  gather.parts."ssh/hostKey" = {
    name = "ssh_host_ed25519_key.pub";
    file = "/etc/ssh/ssh_host_ed25519_key.pub";
  };
}