{ config, ... }:
{
  services.openssh = {
    enable = true;
    permitRootLogin = "yes";
    passwordAuthentication = false;
  };

  users.users.root.openssh.authorizedKeys.keys = config.sbruder.pubkeys.trustedKeys;
}