{ pkgs, config, data, ... }:
let
  gitSSHPort = data.services.git.sshPort;
in
{
  services.openssh = {
    enable = true;
    ports = [ (if data ? sshPort then data.sshPort else 37163) gitSSHPort ];
    settings.PermitRootLogin = "no";
    settings.PasswordAuthentication = false;
    extraConfig = ''
    Match LocalPort ${toString gitSSHPort}
      AllowUsers forgejo
    '';
  };
  programs.ssh.startAgent = true;

  services.endlessh-go = {
    enable = true;
    openFirewall = true;
    port = 22;
  };

  users.users.lgm.openssh.authorizedKeys.keys = [
    ''sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHFPA2RhqZIVCLwYuEUDQyOnJ4g1R6IfQyhGqZ2Cvvu+AAAABHNzaDo= lgm@lgm-nixos''
    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUawqrjSPXTwQ4ZY2rw9o+XgmK7TbH0QEIXQPh8gT0J lgm@lgm-nixos''
  ];
}