{ inputs, host, lib, ... }:
let
  keys = {
    phoenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsrEEXQwcu4i7hOqCbpwd4EdC/+v9fAWm30MUXhVpp5";
    cepheus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGm1PymMJ2JnE973UCaezWQFKyZi7lsAzHshUUwafa8F";
    naos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcR9C753wDWjg/oJxn6p9kLMaiaOPJFNT0xYPICXK52";
  };
in {
  environment.systemPackages = [ inputs.agenix-rekey.packages.x86_64-linux.default ];
  imports = [
    inputs.agenix.nixosModules.default
    inputs.agenix-rekey.nixosModules.default
  ];
  
  age.identityPaths = [ "/nix/keys/identity" ]; # default key path
  age.rekey = {
    masterIdentities = [
      { identity = "/home/user/.ssh/id_ed25519";
        pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDEDqpSiQpbSsClh6UGb7Z2DA1Hy+EyePzTy+5hEVD/A"; }
    ];
    storageMode = "local";
    generatedSecretsDir = ../../secrets/generated/${host};
    localStorageDir = ../../secrets/rekeyed/${host};
  };

  # services.openssh.enable = true;
  services.openssh.hostKeys = [{
    path = "/nix/keys/identity";
    type = "ed25519";
  }];

# TODO: define key via hosts/<name>/default.nix

  nodes.phoenix.age.rekey.hostPubkey = keys.phoenix;
  nodes.cepheus.age.rekey.hostPubkey = keys.cepheus;
  # nodes.tureis.age.rekey.hostPubkey = ""; # TODO
  nodes.naos.age.rekey.hostPubkey = keys.naos;
}