{
  config,
  inputs,
  lib,
  ...
}: let
  isBuildHost = config.networking.hostName == "dunamis";
in {
  config = lib.mkMerge [
    (lib.mkIf isBuildHost {
      nix = let
        inherit (builtins) readFile;
        inherit (config.users.users) user;
      in {
        sshServe = {
          enable = true;
          keys = map (f: readFile f) user.openssh.authorizedKeys.keyFiles;
          protocol = "ssh-ng";
          trusted = true;
          write = true;
        };
      };
      security.pam.sshAgentAuth.enable = true;
    })
    (lib.mkIf (!isBuildHost) {
      nix = let
        inherit (builtins) readFile;
        inherit (config.networking) hostName;
        inherit (config.sops) secrets;
        inherit (inputs) mysecrets;
        pubHost = readFile "${mysecrets}/ssh/ssh_host_ed25519_dunamis.base64";
      in {
        distributedBuilds = true;
        buildMachines = [
          {
            hostName = "dunamis";
            maxJobs = 3;
            protocol = "ssh-ng";
            publicHostKey = pubHost;
            speedFactor = 2;
            sshKey = secrets."ssh-${hostName}-user".path;
            sshUser = "nix-ssh";
            supportedFeatures = ["benchmark" "big-parallel" "kvm" "nixos-test"];
            system = "x86_64-linux";
          }
        ];
      };
    })
  ];
}