{ lib, config, ... }:
{

  config = {
    services.openssh = {
      enable = true;
      settings.PasswordAuthentication = false;
      startWhenNeeded = true;
    };
    security = {
      sudo.execWheelOnly = true;
      pam = {
        sshAgentAuth.enable = true;
        services.sudo.sshAgentAuth = true;
      };
    };
  };
}