nixfiles/profiles/sshd/sshd.nix

{lib, ...}: let
  inherit (lib.modules) mkDefault;
in {
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "prohibit-password";
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = mkDefault false;
      StreamLocalBindUnlink = true;
      KexAlgorithms = ["curve25519-sha256@libssh.org"];
      LogLevel = "VERBOSE";
    };
  };
}