nixos-combined-flake/modules/nixos/base/ssh/default.nix

{ lib, config, ... }: lib.mkIf config.services.openssh.enable {
  services.openssh = {
    settings = {
      PermitRootLogin = "prohibit-password";
      PasswordAuthentication = false;
    };
    openFirewall = true;
  };
}