{ lib, config, ... }: let sshPort = 22; in { services.openssh = { enable = true; ports = [ sshPort ]; authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/default"]; settings = { # Harden PasswordAuthentication = true; PermitRootLogin = "no"; # Automatically remove stale sockets StreamLocalBindUnlink = "yes"; }; }; networking.firewall.allowedTCPPorts = [ sshPort ]; }