{ config, pkgs, ... }:

let
  keys = [
  ];

  root.password = config.sops.secrets.password-root.path;
in {

  sops.secrets = let def = { neededForUsers = true; };
  in {
    "password-root" = def;
  };

  services.openssh = {
    enable = true;
    settings.PermitRootLogin = "no";
  };

  # protect from ssh spammers
  services.sshguard.enable = true;

  # disable kernel from logging REFUSED CONNECTIONS messages when we actually drop this traffic
  networking.firewall.logRefusedConnections = false;

  # enable mosh and open firewall ports
  programs.mosh.enable = true;

  security.sudo.wheelNeedsPassword = false;

  users.mutableUsers = false;

  users.users.root = {
    hashedPasswordFile = root.password;
    openssh.authorizedKeys.keys = keys;
  };

  # users.users.<username> = {
  #   isNormalUser = true;
  #   extraGroups = [ "wheel" ];
  #   hashedPasswordFile = <username.password>;
  #   openssh.authorizedKeys.keys = <username.keys>;
  # };
}