{ lib, ... }:

{

  services.openssh.enable = true;
  services.openssh.settings = {
    PasswordAuthentication = false;
    KbdInteractiveAuthentication = false;
    PermitRootLogin = lib.mkDefault "no";
  };
  services.openssh.hostKeys = lib.mkForce [
    # Only create ed25519 host keys
    { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
  ];

}