{
  pkgs,
  inputs,
  config,
  lib,
  ...
}:
let
  inherit (lib) types;
  controlDir = "~/.ssh/controlmasters";

  proxyTagType = types.submodule (
    { name, ... }:
    {
      options = {
        after = lib.mkOption {
          type = types.nullOr (types.listOf types.str);
          default = [ ];
          description = "List of other hm.dag.entryAfter conditions the match rule needs to be placed.";
        };
        # XXX extra args
        connectType = lib.mkOption {
          type = types.listOf (
            types.enum [
              "all"
              "nomaster"
              "master"
              "direct"
              "indirect"
            ]
          );
          description = ''
            Select jump indirection mode:
            all|nomaster|{master,direct,indirect}
            using ControlMaster socket, only directly, only through SSH if direct connections fail
          '';
        };
        jumpHost = lib.mkOption {
          type = types.nullOr types.str; # null is also okay for achieving hyppy eyeballs
        };
        noDirect = lib.mkEnableOption "Skip connecting to the remote host directly, always use the jump hosts";
      };

    }
  );
in
{
  imports = [
    ./ensureDirs.nix
  ];
  options = {
    programs.ssh.multi-proxy.tags = lib.mkOption {
      type = types.attrsOf proxyTagType;
      default = { };
      description = "Set of ssh-multi-proxy target tag definitions.";
    };
  };
  config = lib.mkIf config.programs.ssh.enable {
    home.ensureDirs = {
      ".ssh" = {
        mode = "700";
      };
      ".ssh/controlmasters" = {
        mode = "700";
      };
    };
    home.packages = [ pkgs.fc-scripts.ssh-multi-proxy ];
    programs.ssh = {
      enableDefaultConfig = false; # deprecated
      package = lib.mkDefault pkgs.openssh;
      extraOptionOverrides = {
        CanonicalizeHostname = "yes";
        CanonicalizeFallbackLocal = "yes";
      };
      matchBlocks = {

        # default, gets placed last by home-manager
        "*" = {
          serverAliveInterval = 10;
          serverAliveCountMax = 2; # 2 strikes and you're out
          forwardAgent = false;
          addKeysToAgent = "no";
          compression = false;
          hashKnownHosts = false;
          userKnownHostsFile = "~/.ssh/known_hosts";
          controlMaster = "no";
          controlPath = "${controlDir}/%r@%n:%p";
          controlPersist = "no";
        };
      }
      # ssh-multi-proxy tag definitions
      // lib.mapAttrs' (
        tag: tagDef:
        let
          dependency = if tagDef.after != null then lib.hm.dag.entryAfter tagDef.after else lib.id;
        in
        lib.nameValuePair "tagged-${tag}" {
          match = ''tagged="${tag}"'';
          proxyCommand = "${lib.getExe pkgs.fc-scripts.ssh-multi-proxy} -v -p connect --control-path='${controlDir}'${lib.optionalString tagDef.noDirect " -n"} -i ${lib.concatStringsSep "," tagDef.connectType}${
            lib.optionalString (tagDef.jumpHost != null) " -j ${tagDef.jumpHost}"
          } %h %p";
          extraOptions = {
            ProxyUseFdpass = "yes";
          };
        }
      ) config.programs.ssh.multi-proxy.tags;
    };

  };
}