{ pkgs, lib, ... }:
{
  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = false;
      challengeResponseAuthentication = false;
      # PermitRootLogin = "no";
      KbdInteractiveAuthentication = false;
    };
    # settings.UsePAM = false;
    openFirewall = lib.mkDefault false;
    allowSFTP = lib.mkDefault false;
    # startWhenNeeded = true;
    extraConfig = ''
      allowtcpforwarding no
      X11Forwarding no
      AllowAgentForwarding no
      AllowStreamLocalForwarding no
      AuthenticationMethods publickey
      Protocol 2
      MaxAuthTries 4
      PermitEmptyPasswords no
      PermitUserEnvironment no
      MaxSessions 4
      LoginGraceTime 60
      ClientAliveCountMax 3
      ClientAliveInterval 15
      HostbasedAuthentication no
      IgnoreRhosts yes
      banner /etc/issue.net
      maxstartups 10:30:60
    '';
  };

  users.users.root = {
    # isSystemUser = true;
    # isNormalUser = true;
    uid = 0;
    openssh.authorizedKeys.keyFiles = [ ../ssh/id_ed25519_sk.pub ];
    # home = "/root";
    hashedPassword = null;
    createHome = lib.mkForce true;
  };

  programs.ssh.startAgent = true;
  # security.sudo.enable = false;
  # services.yubikey-agent.enable = true;
}