cyper-nix/nixos/ssh.nix

{ primaryUser, ... }:
{
  services.openssh = {
    enable = true;
    openFirewall = true;
    settings = {
      PasswordAuthentication = false;
      PermitRootLogin = "no";
    };
  };
  users.users.${primaryUser}.openssh.authorizedKeys.keyFiles = [ ../secrets/ssh-key ];
  programs.ssh.startAgent = true;
  security.doas = {
    enable = true;
    wheelNeedsPassword = false;
  };
}