{ config, ... }:

{
  services.openssh = {
    enable = true;
    permitRootLogin = "prohibit-password";
    passwordAuthentication = false;

    # Required for root
    extraConfig = ''
      Match Address 127.0.0.1
        PermitRootLogin yes
    '';
  };

  # Also enable mosh because /shrug
  programs.mosh.enable = true;
}