{
  lib,
  config,
  ...
}: {
  options = {
    services.openssh.impermanence.enable = lib.mkOption {
      type = lib.types.bool;
      default = config.services.openssh.enable && config.storage.impermanence.enable;
    };
  };

  config = lib.mkMerge [
    {
      services = {
        openssh = {
          enable = true;
          ports = [22];
          settings = {
            PasswordAuthentication = false;
            UseDns = true;
            X11Forwarding = false;
          };
        };
      };
    }
    (lib.mkIf config.storage.zfs.enable (lib.mkMerge [
      {
        # SSH host keys need to be persisted to maintain server identity
      }
      (lib.mkIf (!config.services.openssh.impermanence.enable) {
        # TODO: placeholder to configure a unique dataset for this service
      })
      (lib.mkIf config.services.openssh.impermanence.enable {
        storage.impermanence.datasets."persist/system/root" = {
          files = builtins.listToAttrs (
            lib.lists.flatten (
              builtins.map (hostKey: [
                {
                  name = hostKey.path;
                  value = {enable = true;};
                }
                {
                  name = "${hostKey.path}.pub";
                  value = {enable = true;};
                }
              ])
              config.services.openssh.hostKeys
            )
          );
        };
      })
    ]))
  ];
}