nix-dotfiles/nixos/basics/remote-deploy.nix

{ lib, ... }:
{
  services.openssh = {
    enable = true;
    openFirewall = true;
    settings = {
      KbdInteractiveAuthentication = lib.mkDefault false;
      # PermitRootLogin = lib.mkDefault "prohibit-password";
      PasswordAuthentication = lib.mkDefault false;
    };
  };

  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKobKuuJCoQ7gj/NeE57wfSg/Qs4X3osw9xXook3PMAP bertof@extra"
  ];
}