{
  pkgs,
  lib,
  config,
  inputs,
  ...
}: {
  config = {
    services.openssh = {
      enable = true;
      openFirewall = false;
      allowSFTP = true;
      startWhenNeeded = true;
      extraConfig = ''
        AllowTcpForwarding yes
        X11Forwarding no
        AllowAgentForwarding no
        AllowStreamLocalForwarding no
        AuthenticationMethods publickey
        StreamLocalBindUnlink yes

        AllowUsers tzlil git
      '';
      settings = {
        PermitRootLogin = "no";
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
      };
    };
    environment.persistence."/nix/persist" = {
      hideMounts = true;
      files = [
        "/etc/ssh/ssh_host_ed25519_key"
        "/etc/ssh/ssh_host_ed25519_key.pub"
        "/etc/ssh/ssh_host_rsa_key"
        "/etc/ssh/ssh_host_rsa_key.pub"
      ];
    };
  };
}