{ lib, inputs, hostName, ... }:
with lib;
{
  programs.mosh.enable = mkDefault true;
  services.openssh.enable = true;
  systemd.services.sshd.serviceConfig.LoadCredentialEncrypted =
    [ "ed25519.key:${inputs.self}/hosts/${hostName}/networking/ssh/ed25519.key.cred" ];
  # TODO: use hostKeys= once LoadCredentialEncrypted= works in ExecStartPre=
  services.openssh.hostKeys = mkForce [];
  services.openssh.extraConfig = ''
    HostKey /run/credentials/sshd.service/ed25519.key
  '';
}