diff --git a/legacy/.ssh/config b/legacy/.ssh/config
deleted file mode 100644
index d776a72..0000000
--- a/legacy/.ssh/config
+++ /dev/null
@@ -1,25 +0,0 @@
-Host *
-	# Share SSH connection.
-	# If disabling, consider impact on ssh agent forwarding in screen
-	# sessions (see .ssh/rc file).
-	ControlMaster auto
-	ControlPath ~/.ssh/ctl/%r@%h:%p
-	ControlPersist 10m
-	# When a shared connection is broken (remote reboot), detect it faster.
-	ServerAliveInterval 11
-	ServerAliveCountMax 2
-
-	ConnectTimeout 10
-	AddKeysToAgent yes
-
-#Host custom-host-with-xorg
-#	HostName custom-hostname
-#	User crate
-#	ForwardX11 yes
-#	ForwardX11Trusted yes
-
-#Host always-changing-keys-dont-care
-#	StrictHostKeyChecking no
-#	UserKnownHostsFile=/dev/null
-
-Include config.d/*
diff --git a/legacy/.ssh/ctl/.gitkeep b/legacy/.ssh/ctl/.gitkeep
deleted file mode 100644
index e69de29..0000000
diff --git a/legacy/.ssh/rc b/legacy/.ssh/rc
deleted file mode 100755
index 1423a24..0000000
--- a/legacy/.ssh/rc
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/sh
-
-# When SSH-ing with agent forwarding enabled, this variable is set by sshd
-# itself. However, an existing screen session that we attach to will not have
-# its SSH_AUTH_SOCK environment variable updated, so we hardcode this path in
-# .screenrc and create a symlink to keep it alive.
-#
-# It WILL break if two sessions are opened to a machine, and a newer one is
-# terminated. ControlMaster in .ssh/config solves this problem by sharing the
-# connection (and as a result, sharing SSH agent socket).
-[ -n "$SSH_AUTH_SOCK" ] && ln -sf "$SSH_AUTH_SOCK" ~/.ssh/ssh_auth_sock
diff --git a/modules/home/common.nix b/modules/home/common.nix
index 60b5542..08aeb27 100644
--- a/modules/home/common.nix
+++ b/modules/home/common.nix
@@ -188,5 +188,49 @@
     '';
   };
 
+  programs.ssh = {
+    enable = true;
+    enableDefaultConfig = false;
+    includes = [ "config.d/*" ];
+
+    settings = {
+      "*" = {
+        # Share SSH connection.
+        # If disabling, consider impact on ssh agent forwarding in screen
+        # sessions (see .ssh/rc file).
+        ControlMaster = "auto";
+        ControlPath = "~/.ssh/ctl/%r@%h:%p";
+        ControlPersist = "10m";
+
+        # When a shared connection is broken (remote reboot), detect it faster.
+        ServerAliveInterval = 11;
+        ServerAliveCountMax = 2;
+
+        ConnectTimeout = 10;
+        AddKeysToAgent = "yes";
+      };
+    };
+  };
+
+  home.file = {
+    ".ssh/rc" = {
+      executable = true;
+      text = ''
+        #!/bin/sh
+
+        # When SSH-ing with agent forwarding enabled, this variable is set by sshd
+        # itself. However, an existing screen session that we attach to will not have
+        # its SSH_AUTH_SOCK environment variable updated, so we hardcode this path in
+        # .screenrc and create a symlink to keep it alive.
+        #
+        # It WILL break if two sessions are opened to a machine, and a newer one is
+        # terminated. ControlMaster in .ssh/config solves this problem by sharing the
+        # connection (and as a result, sharing SSH agent socket).
+        [ -n "$SSH_AUTH_SOCK" ] && ln -sf "$SSH_AUTH_SOCK" ~/.ssh/ssh_auth_sock
+      '';
+    };
+    ".ssh/ctl/.keep".text = "";
+  };
+
   home.stateVersion = "25.11"; # never modify
 }