{
  user ? throw "user argument is required",
  home ? throw "home argument is required",
}:
{
  config,
  inputs,
  system,
  lib,
  ...
}:
let
  hmConfig = config.home-manager.users.${user};
  selfPkgs = inputs.self.packages.${system};
in
{
  home-manager.users.${user} = {
    sops.secrets = {
      "ssh/personal/key" = {
        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
        key = "ssh/key";
        path = "${home}/.ssh/ssh_personal_ed25519_key";
      };

      "ssh/personal/pass" = {
        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
        key = "ssh/pass";
      };

      "ssh/sas/key" = {
        sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
        key = "ssh/key";
        path = "${home}/.ssh/ssh_sas_ed25519_key";
      };

      "ssh/sas/pass" = {
        sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
        key = "ssh/pass";
      };
    };

    programs = {
      ssh = {
        matchBlocks = {
          "cldlgn.fyi.sas.com" = {
            inherit user;
            hostname = "cldlgn.fyi.sas.com";
            identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
          };
        };

        userKnownHostsFiles =
          with selfPkgs;
          lib.lists.optionals config.sas.build.private [ ssh-known-hosts-sas-cldlgn ];
      };

      clipbook.bookmarks = {
        "Personal SSH Key Passphrase".source = hmConfig.sops.secrets."ssh/personal/pass".path;
        "SAS SSH Key Passphrase".source = hmConfig.sops.secrets."ssh/sas/pass".path;
      };
    };
  };
}