{
  pkgs,
  ...
}:
{
  config = {
    frogeye.hooks.lock = ''
      ${pkgs.openssh}/bin/ssh-add -D
    '';
    programs.ssh = {
      enable = true;
      controlMaster = "auto";
      controlPersist = "60s"; # Enough to cache Ansible stuff, not too long so I don't have remember which shenanigans I did with my last connection
      # Ping the server frequently enough so it doesn't think we left (non-spoofable)
      serverAliveInterval = 30;
      matchBlocks."*" = {
        # Do not forward the agent (-A) to a machine by default,
        # as it is kinda a security concern
        forwardAgent = false;
        # Restrict terminal features (servers don't necessarily have the terminfo for my cutting edge terminal)
        setEnv.TERM = "xterm-256color";
        extraOptions = {
          # Check SSHFP records
          VerifyHostKeyDNS = "yes";
        };
      };
    };
  };
}