{ pkgs, lib, config, hosts, ... }:
{
  services.openssh = {
    openFirewall = true;
    settings.X11Forwarding = true;
  };
  systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
    "host.key:${ssh/host.key.cred}"
  ];
  programs.ssh = {
    extraConfig = ''
    '';
  };

  boot.initrd.network.ssh = {
    enable = true;
    port = 2222;
    authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
    hostKeys = [ "/root/initrd/ssh.key" ];
    extraConfig = ''
    '';
  };

  systemd.services.ssh-mermet-reverse = {
    after = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "simple";
      # Require services.openssh.gatewayPorts = "clientspecified";
      # on the target.
      ExecStart = ''${pkgs.openssh}/bin/ssh -v -g -N -T \
      -o ServerAliveInterval=10 \
      -o ExitOnForwardFailure=yes \
      -R *:10022:localhost:22 \
      ${hosts.mermet._module.args.ipv4}
    '';
      Restart = "always";
      RestartSec = "5s";
    };
  };
  services.upnpc.enable = true;
  services.upnpc.redirections =
    [
      {
        description = "SSH";
        externalPort = 22;
        protocol = "TCP";
        duration = 30 * 60;
        service.wantedBy = [ "sshd.service" ];
        service.partOf = [ "sshd.service" ];
      }
      { description = "Mosh"; externalPort = 60000; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
      { description = "Mosh"; externalPort = 60001; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
      { description = "Mosh"; externalPort = 60002; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
      { description = "Mosh"; externalPort = 60003; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
    ] ++ [
      {
        description = "SSH (boot)";
        externalPort = 2222;
        protocol = "TCP";
        duration = 0;
        service.wantedBy = [ "sshd.service" ];
      }
    ];
}