{ config, ... }: {
  services.openssh = {
    enable = true;
    openFirewall = true;

    permitRootLogin = "prohibit-password";
    passwordAuthentication = false;
    kbdInteractiveAuthentication = false;
  };

  users.users.root.openssh.authorizedKeys.keys = config.users.users.bertof.openssh.authorizedKeys.keys or [ ];
}