{ pkgs, lib, config, hosts, ... }:
let
  inherit (config.security) gnupg;
  inherit (config.users) users;
in
{
systemd.services.ssh-mermet-reverse = {
  after = [ "network-online.target" ];
  wantedBy = [ "multi-user.target" ];
  serviceConfig = {
    Type = "simple";
    # Require services.openssh.gatewayPorts = "clientspecified";
    # on the target.
    ExecStart = ''${pkgs.openssh}/bin/ssh -v -g -N -T \
      -o ServerAliveInterval=10 \
      -o ExitOnForwardFailure=yes \
      -R *:10022:localhost:22 \
      ${hosts.mermet.extraArgs.ipv4}
    '';
    Restart = "always";
    RestartSec = "5s";
  };
};
boot.initrd.network.ssh = {
  enable = true;
  port = 2222;
  authorizedKeys = users.root.openssh.authorizedKeys.keys;
  hostKeys = [ "/root/initrd/ssh.key" ];
  extraConfig = ''
  '';
};
services.openssh = {
  forwardX11 = true;
};
programs.ssh = {
  extraConfig = ''
    Compression = yes
  '';
};
services.upnpc.redirections =
  [
    { description = "SSH";
      externalPort = 22; protocol = "TCP"; duration = 30 * 60;
      service.wantedBy = ["sshd.service"];
      service.partOf   = ["sshd.service"];
    }
    { description = "Mosh"; externalPort = 60000; protocol = "UDP"; duration = 30 * 60; service.wantedBy = ["sshd.service"]; }
    { description = "Mosh"; externalPort = 60001; protocol = "UDP"; duration = 30 * 60; service.wantedBy = ["sshd.service"]; }
    { description = "Mosh"; externalPort = 60002; protocol = "UDP"; duration = 30 * 60; service.wantedBy = ["sshd.service"]; }
    { description = "Mosh"; externalPort = 60003; protocol = "UDP"; duration = 30 * 60; service.wantedBy = ["sshd.service"]; }
  ] ++ [
    { description = "SSH (boot)";
      externalPort = 2222; protocol = "TCP"; duration = 0;
      service.wantedBy = ["sshd.service"];
    }
  ];
}