{ config, ... }:
let sshPort = config.hostSpec.networking.ports.tcp.ssh;
in {
  services.openssh = {
    enable = true;
    ports = [ sshPort ];

    settings = {
      PermitRootLogin = "no";
      KbdInteractiveAuthentication = false;
      PasswordAuthentication = false;
    };

    openFirewall = true;
  };

  networking.firewall.allowedTCPPorts = [ sshPort ];
}