{ pkgs, lib, config, machines, ... }:
let
  inherit (config.security) gnupg;
  inherit (config.users) users;
  initrdKey = "initrd/ssh.key";
in
{
systemd.services.ssh-mermet-reverse = {
  after = [ "network-online.target" ];
  wantedBy = [ "multi-user.target" ];
  serviceConfig = {
    Type = "simple";
    ExecStart = ''${pkgs.openssh}/bin/ssh -v -g -N -T \
      -o ServerAliveInterval=10 \
      -o ExitOnForwardFailure=yes \
      -R *:10022:localhost:22 \
      ${machines.mermet.extraArgs.ipv4}
    '';
    Restart = "always";
    RestartSec = "5s";
  };
};

installer.ssh-nixos.script = lib.mkBefore ''
  # Send the SSH key of the initrd
  gpg --decrypt '${gnupg.store}/${initrdKey}.gpg' |
  ssh '${config.installer.ssh-nixos.target}' \
  install -D -m 400 -o root -g root /dev/stdin /root/${initrdKey}
'';
boot.initrd.network.ssh = {
  enable = true;
  # To prevent ssh from freaking out because a different host key is used,
  # a different port for dropbear is useful
  # (assuming the same host has also a normal sshd running)
  port = 2222;
  authorizedKeys = users.root.openssh.authorizedKeys.keys;
  hostKeys = [ "/root/${initrdKey}" ];
};
}