nixcfg/modules/darwin/security/ssh/default.nix

{
  lib,
  config,
  pkgs,
  inputs,
  ...
}:

let
  inherit (lib) types mkEnableOption mkIf;
  inherit (lib.metacfg) mkOpt;

  cfg = config.metacfg.security.ssh;
in
{
  options.metacfg.security.ssh = {
    enable = mkEnableOption "SSH";
  };

  config = mkIf cfg.enable {
    environment.systemPackages = with pkgs; [ openssh ];

    environment.shellInit = ''
      export SSH_AUTH_SOCK="$HOME/.ssh/ssh-agent.sock"
    '';

    launchd.user.agents.ssh-agent.serviceConfig = {
      Label = "ssh-agent";
      EnvironmentVariables.SSH_AUTH_SOCK = "/Users/${config.metacfg.user.name}/.ssh/ssh-agent.sock";
      ProgramArguments = [
        "${pkgs.openssh}/bin/ssh-agent"
        "-a"
        "/Users/${config.metacfg.user.name}/.ssh/ssh-agent.sock"
        "-D"
      ];
      RunAtLoad = true;
      KeepAlive.SuccessfulExit = true;
    };
  };
}