{ config, lib, ... }:
{
  # persist the host key
  # prefer specifying it via environment.etc since although it is generated per-host,
  # it's made to be immutable after generation. hence, a `persist`-style mount wouldn't be as great.
  environment.etc."ssh/host_keys".source = "/nix/persist/etc/ssh/host_keys";
  # sane.persist.sys.plaintext = [ "/etc/ssh/host_keys" ];

  # let openssh find our host keys
  services.openssh.hostKeys = [
    { type = "rsa"; bits = 4096; path = "/etc/ssh/host_keys/ssh_host_rsa_key"; }
    { type = "ed25519"; path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; }
  ];

  sane.ssh = rec {
    pubkeys."colin@lappy" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
    pubkeys."root@lappy" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";

    pubkeys."colin@desko" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
    pubkeys."root@desko" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";

    pubkeys."colin@moby" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
    pubkeys."root@moby" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";

    pubkeys."colin@servo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
    pubkeys."root@servo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
    pubkeys."root@uninsane.org" = pubkeys."root@servo";
    # XXX: git.uninsane.org uses the same host key as servo, so we use this to populate known_hosts
    pubkeys."root@git.uninsane.org" = pubkeys."root@servo";
  };
}