{ lib, ... }:

{

  services.openssh.enable = true;
  services.openssh.settings = {
    PasswordAuthentication = false;
    KbdInteractiveAuthentication = false;
    PermitRootLogin = lib.mkDefault "no";

    # Hotfix CVE-2024-6387 https://github.com/NixOS/nixpkgs/pull/323753
    LoginGraceTime = 0;
  };
  services.openssh.hostKeys = lib.mkForce [
    # Only create ed25519 host keys
    { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
  ];

}