{
  services.openssh = {
    enable = true;
    allowSFTP = true;
    settings = {
      PermitRootLogin = "prohibit-password";  # Allow root login with SSH keys only
    };
  };

  networking.firewall = {
    allowedTCPPorts = [ 22 ];
  };
}