{
  services.openssh = {
    enable = true;

    settings = {
      ClientAliveInterval = 300;

      KbdInteractiveAuthentication = false;
      PasswordAuthentication = false;
      PermitRootLogin = "no";
    };
  };

  networking.firewall.allowedTCPPorts = [ 22 ];
}