{
  config,
  lib,
  ...
}: let
  inherit (lib) mkForce mkIf;

  cfg = config.roles.server;
in {
  config = mkIf (cfg.enable && cfg.sshd.enable) {
    services = {
      openssh = {
        enable = true;
        settings = {
          PasswordAuthentication = false;
          PermitRootLogin = mkForce "no";
        };
      };
    };

    users.users.${cfg.user} = {
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPE39uk52+NIDLdHeoSHIEsOUUFRzj06AGn09z4TUOYm matt@OP9"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICr2+CpqXNMLsjgbrYyIwTKhlVSiIYol1ghBPzLmUpKl matt@binto"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJGbLu+Gb7PiyNgNXMHemaQLnKixebx1/4cdJGna9OQp matt@wim"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII1bYbOemBJHjm5onaRE52YvGiTAr+bS0l4tCjXSXud9 matt@servivi"
      ];
    };
  };

  # For accurate stack trace
  _file = ./default.nix;
}