diff --git a/hardening.nix b/hardening.nix
index 343e0d6..45e097d 100644
--- a/hardening.nix
+++ b/hardening.nix
@@ -47,6 +47,8 @@ in
 
     aviallon.hardening.expensive = mkForce cfg.hardcore;
 
+    services.openssh.permitRootLogin = "prohibit-password";
+
     security.apparmor.enable = true;
     services.dbus.apparmor = "enabled";
 
diff --git a/services.nix b/services.nix
index b968a18..821dbb2 100644
--- a/services.nix
+++ b/services.nix
@@ -47,7 +47,7 @@ in {
     # Enable the OpenSSH daemon.
     services.openssh.enable = true;
   #  services.openssh.permitRootLogin = "prohibit-password";
-    services.openssh.permitRootLogin = "yes";
+    services.openssh.permitRootLogin = mkDefault "yes";
     networking.firewall.allowedTCPPorts = [ 22 ];
     networking.firewall.allowedUDPPorts = [ 22 ];
 
@@ -113,6 +113,7 @@ in {
     ] (x: builtins.toJSON x));
 
 
+    # Enusre low-latency response for this time-critical service
     systemd.services."hdapsd@" = {
       serviceConfig = {
         Nice = -20;