{lib, ...}: {
  services.openssh = {
    enable = true;
    passwordAuthentication = false;
    kbdInteractiveAuthentication = lib.mkDefault false;
    permitRootLogin = "prohibit-password";
    kexAlgorithms = ["curve25519-sha256@libssh.org"];
    extraConfig = ''
      StreamLocalBindUnlink yes
      LogLevel VERBOSE
    '';
  };
}