{
  services.openssh = {
    enable = true;
    permitRootLogin = "prohibit-password";
  };
  networking.firewall.allowedTCPPorts = [22];
}