{ secret, ... }:
{
  users.users.root.openssh.authorizedKeys.keys = secret.ssh.trustedKeys;
  services.openssh = {
    enable = true;
    allowSFTP = true;
    ports = [ 22143 ];
    listenAddresses = [
      {
        addr = "[::]";
        port = 22143;
      }
    ];
    settings = {
      GSSAPIAuthentication = false;
      HostbasedAuthentication = false;
      KbdInteractiveAuthentication = false;
      KerberosAuthentication = false;
      LoginGraceTime = "1m";
      MaxSessions = 10;
      PasswordAuthentication = false;
      PermitEmptyPasswords = false;
      PermitRootLogin = "prohibit-password";
      PubkeyAuthentication = true;
      StrictModes = false;
      UseDns = false;
      UsePAM = true;
      AllowUsers = [
        "root"
        "nixbuilder"
      ];
    };
  };
}