{
  lib,
  config,
  ...
}: {
  options = {
    services.openssh.impermanence.enable = lib.mkOption {
      type = lib.types.bool;
      default = config.services.openssh.enable && config.storage.impermanence.enable;
    };
  };

  config = {
    services = {
      openssh = {
        enable = true;
        ports = [22];
        settings = {
          PasswordAuthentication = false;
          UseDns = true;
          X11Forwarding = false;
        };
      };
    };

    storage.datasets.replicate."system/root" = {
      files = lib.mkIf config.services.openssh.impermanence.enable (builtins.listToAttrs (
        lib.lists.flatten (
          builtins.map (hostKey: [
            {
              name = hostKey.path;
              value = {enable = true;};
            }
            {
              name = "${hostKey.path}.pub";
              value = {enable = true;};
            }
          ])
          config.services.openssh.hostKeys
        )
      ));
    };
  };
}