{ ... }:
{
  networking.firewall.allowedTCPPorts = [ 22 ];

  sops.secrets."ssh/nixremote/private" = {
    sopsFile = ../../secrets/default.yaml;
    path = "/root/.ssh/nixremote";
    mode = "600";
  };

  services.openssh = {
    enable = true;
    ports = [ 22 ];
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = true;
    };
  };

  programs.ssh = {
    extraConfig = ''
      Host lilith-server-builder
        HostName firelilith.org
        User nixremote
        IdentityFile /home/lilith/.ssh/nixremote
        ConnectTimeout 5
      Host lilith-pc-builder
        HostName lilith-pc
        User nixremote
        IdentityFile /home/lilith/.ssh/nixremote
        ConnectTimeout 5
    '';
  };
}