{ config, pkg, ... }: {
  services.openssh = {
    enable = true;
    passwordAuthentication = false;
    extraConfig = ''
      PrintMotd yes
    ''; # this could be done with pam
    hostKeys = [{
      comment = "key comment";
      path = "/srv/sshd/ssh_host_ed25519_key";
      rounds = 1000;
      type = "ed25519";
    }];
  };
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils"
  ];
}