{
  config,
  lib,
  ...
}: let
  cfg = config.hive.ssh;
in {
  options.hive.ssh = {
    enable = lib.mkEnableOption "SSH keys and config";
    keys = lib.mkOption {
      type = lib.types.listOf (lib.types.str);
      default = [];
      description = ''
        A list of SSH key names. Each one results in a id_<name> file in .ssh
      '';
    };
    sopsFile = lib.mkOption {
      type = lib.types.path;
      default = null;
      description = ''
        Path to the sops file containing the SSH keys.
        Requires a config key. And for each private key names in <keys> an keys.<name> entry.
      '';
    };
  };

  config = lib.mkIf cfg.enable {
    sops.secrets =
      {
        "ssh/config" = {
          inherit (cfg) sopsFile;
          key = "config";
          path = "${config.home.homeDirectory}/.ssh/config";
        };
      }
      // builtins.listToAttrs (map (name: {
          name = "ssh/id_${name}";
          value = {
            inherit (cfg) sopsFile;
            key = "keys/${name}";
            path = "${config.home.homeDirectory}/.ssh/id_${name}";
          };
        })
        cfg.keys);
  };
}