{ config, lib, ... }:
{
  services.openssh = {
    enable = true;

    ports = [ 2168 ];

    settings = {
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
    };

    # Prevents sshd from reading the user's ~/.ssh/authorized_keys file so that
    # keys must be declared in the NixOS configuration.
    authorizedKeysInHomedir = false;
  };

  environment.persistence."/persistence".files = lib.map (
    hostKey: hostKey.path
  ) config.services.openssh.hostKeys;
}