{
  config,
  lib,
  pkgs,
  site_config,
  username,
  ...
}:
{
  # Enable the OpenSSH daemon.
  services.openssh = {
    enable = true;
    settings = {
      AllowUsers = [
        username
        "root"
      ];
      PasswordAuthentication = false;
      PermitRootLogin = "yes"; # for deploying configs
    };
  };

  systemd.tmpfiles.rules = [
    "Z /etc/ssh 755 root root"
    "Z /etc/ssh/ssh_host_* 600 root root"
  ];

  users.users.${username}.openssh.authorizedKeys.keys = [
    site_config.ssh_keys.laptop
    site_config.ssh_keys.desktop
  ];

  # used for deploying configs to server
  users.users.root.openssh.authorizedKeys.keys =
    config.users.users.${username}.openssh.authorizedKeys.keys
    ++ [
      site_config.ssh_keys.ci_deploy
    ];
}