{ config, lib, pkgs, ... }:

let
  caKnownHostsFile = pkgs.writeText "ca-known-hosts" ''
    @cert-authority * ${builtins.readFile ../../../secrets/server-ca.pub}
  '';
in {
  programs.ssh = {
    extraConfig = ''
      CanonicalizeHostname yes
      CanonicalDomains int.as205479.net as205479.net otter-acoustic.ts.net
      CanonicalizeMaxDots 0
      CanonicalizePermittedCNAMEs *.lukegb.com:*.as205479.net,*.int.as205479.net,*.otter-acoustic.ts.net *.lukegb.dev:*.as205479.net,*.int.as205479.net,*.otter-acoustic.ts.net *.zxcvbnm.ninja:*.as205479.net,*.int.as205479.net,*.otter-acoustic.ts.net
    '';
    userKnownHostsFile = "~/.ssh/known_hosts ${caKnownHostsFile}";
  };
}