{ config, ... }:

{
  config.services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
      PermitRootLogin = "no";
    };
    AllowUsers = [ "numbus-admin" ];
    ports = [ 245 ]
  };

  config.sops.secrets."authorizedSshPublicKeys" = {
    sopsFile = /etc/nixos/secrets/system/ssh.yaml;
    mode = "0440";
    owner = "numbus-admin";
    path = "/home/numbus-admin/.ssh/authorized_keys";
  };
}