{ ... }:
{
  networking.firewall.allowedTCPPorts = [ 22 ];

  sops.secrets."ssh/nixremote/private" = {
    sopsFile = ../../secrets/default.yaml;
    path = "/root/.ssh/nixremote";
  };

  services.openssh = {
    enable = true;
    ports = [ 22 ];
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
    };
  };

  programs.ssh = {
    extraConfig = ''
      Host lilith-server-builder
        HostName 2a01:4f9:4a:1ecb::2
        User nixremote
        IdentityFile /root/.ssh/nixremote
    '';
  };
}