{ lib, ... }:

{
  # ssh-keygen -t ed25519 -f ./deploy_key -N "" -C "forgejo-deploy-runner"
  users.users.root.openssh.authorizedKeys.keyFiles = [
    ./deploy_key.pub
  ];

  nix.settings.trusted-users = [ "root" ];

  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
}