{ lib, config, ... }: lib.mkIf config.services.openssh.enable {
  services.openssh = {
    settings = {
      PermitRootLogin = "prohibit-password";
      PasswordAuthentication = false;
    };
    openFirewall = true;
  };
}