class ssh (
  Variant[Enum['prohibit-password'], Boolean] $permit_root_login = false,
  Array[String] $authorized_keys = [],
) {

  $pkgs = $facts['os']['family'] ? {
    'Debian' => ['openssh-server'],
    'Archlinux' => ['openssh'],
  }

  ensure_packages($pkgs)

  $root_login = $permit_root_login ? {
    'prohibit-password' => 'prohibit-password',
    true                => 'yes',
    false               => 'no',
  }

  file_line { 'sshd permit_root_login':
    ensure => present,
    path   => '/etc/ssh/sshd_config',
    line   => "PermitRootLogin ${root_login}",
    match  => '^#? *PermitRootLogin ',
  }

  file { '/root/.ssh':
    ensure => directory,
  }

  file { '/root/.ssh/authorized_keys':
    ensure => file,
  }

  $authorized_keys.each |$key| {
    file_line { "Authorize ssh key ${key}":
      path => '/root/.ssh/authorized_keys',
      line => $key,
    }
  }

  # file { '/etc/ssh/sshd_config':
  #   ensure  => file,
  #   content => epp('ssh/sshd_config.epp'),
  # }
}