allow root login over ssh using trusted key

common/default.nix

@@ -1,5 +1,10 @@
 { config, pkgs, ... }:
 
+let
+  ssh = import ./ssh.nix;
+  sshUserKeys = ssh.users;
+  sshHigherTrustKeys = ssh.higherTrustUserKeys;
+in
 {
   imports = [
     ./flakes.nix
@@ -23,7 +28,10 @@
   time.timeZone = "America/Denver";
   i18n.defaultLocale = "en_US.UTF-8";
 
-  services.openssh.enable = true;
+  services.openssh = {
+    enable = true;
+    passwordAuthentication = false;
+  };
   programs.mosh.enable = true;
 
   environment.systemPackages = with pkgs; [
@@ -54,10 +62,13 @@
       "dialout" # serial
     ];
     shell = pkgs.fish;
-    openssh.authorizedKeys.keys = (import ./ssh.nix).users;
+    openssh.authorizedKeys.keys = sshUserKeys;
     hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/";
     uid = 1000;
   };
+  users.users.root = {
+    openssh.authorizedKeys.keys = sshHigherTrustKeys;
+  };
   nix.trustedUsers = [ "root" "googlebot" ];
 
   nix.gc.automatic = true;