{lib, ...}: {
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "prohibit-password";
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = lib.mkDefault false;
      StreamLocalBindUnlink = true;
      KexAlgorithms = ["curve25519-sha256@libssh.org"];
      LogLevel = "VERBOSE";
    };
  };
}