{ lib, ... }: {
  services.openssh = {
    enable = true;
    openFirewall = true;

    kbdInteractiveAuthentication = lib.mkDefault false;
    permitRootLogin = lib.mkDefault "prohibit-password";
    passwordAuthentication = lib.mkDefault false;
  };

  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp1Rfb2acLM/5TDUahu+AdV/HVw+hoOTdQIeQIjV5p8"
  ];
}