diff --git a/nixos/configuration.nix b/nixos/configuration.nix
index 01a8528..33a17e8 100644
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@@ -341,7 +341,14 @@
   # List services that you want to enable:
 
   # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
+  services.openssh = {
+    enable = true;
+    # require public key authentication for better security
+    settings.PasswordAuthentication = false;
+    settings.KbdInteractiveAuthentication = false;
+    settings.PermitRootLogin = "no";
+    extraConfig = "HostKey ${config.sops.secrets."ssh_keys/${hwconfig.hostname}".path}";
+  };
 
   # Open ports in the firewall.
   networking.firewall.allowedTCPPorts = [22];
diff --git a/nixos/hardware/apple-silicon-linux/default.nix b/nixos/hardware/apple-silicon-linux/default.nix
index 5beb762..6750a1a 100644
--- a/nixos/hardware/apple-silicon-linux/default.nix
+++ b/nixos/hardware/apple-silicon-linux/default.nix
@@ -14,7 +14,7 @@ in {
   hardware.asahi = {
     peripheralFirmwareDirectory = ./firmware;
     useExperimentalGPUDriver = true;
-    experimentalGPUInstallMode = "overlay";
+    #experimentalGPUInstallMode = "overlay";
     setupAsahiSound = true;
   };
 
diff --git a/nixos/hosts/kylekrein-mac/default.nix b/nixos/hosts/kylekrein-mac/default.nix
index 29247d7..83d3a80 100644
--- a/nixos/hosts/kylekrein-mac/default.nix
+++ b/nixos/hosts/kylekrein-mac/default.nix
@@ -1,14 +1,19 @@
-{ pkgs, lib, hwconfig, inputs, ... }:
 {
-    imports = [
-	inputs.apple-silicon-support.nixosModules.default
-	./mac-hardware-conf.nix
-	../../hardware/apple-silicon-linux
+  pkgs,
+  lib,
+  hwconfig,
+  inputs,
+  ...
+}: {
+  imports = [
+    inputs.apple-silicon-support.nixosModules.default
+    ./mac-hardware-conf.nix
+    ../../hardware/apple-silicon-linux
 
-	../../modules/hyprland
-
-	../../users/kylekrein
-    ];
-    facter.reportPath = lib.mkForce null; #fails to generate
+    ../../modules/hyprland
 
+    ../../users/kylekrein
+  ];
+  sops.secrets."ssh_keys/${hwconfig.hostname}" = {};
+  facter.reportPath = lib.mkForce null; #fails to generate
 }
diff --git a/nixos/modules/sops/secrets/secrets.yaml b/nixos/modules/sops/secrets/secrets.yaml
index 894c991..93ff66e 100644
--- a/nixos/modules/sops/secrets/secrets.yaml
+++ b/nixos/modules/sops/secrets/secrets.yaml
@@ -1,6 +1,8 @@
 users:
     kylekrein: ENC[AES256_GCM,data:DNLVQ4IPFhUG9MR9hk2BuElvfNZIky3nMGWgilutRwvT3wl25vOLEETrBFoWUO+2ZgLSnhtwWtIJhNlRlTK/rsrUNVTOdwq9AA==,iv:Z+dhr33Wotm064IcwtNfFpvQeL03T29Dn3Bl9VqPL1g=,tag:Qe3sOY0DegSKDptBjnbFrQ==,type:str]
     tania: ENC[AES256_GCM,data:veo/dKQpztSGLfCxpWqoTOlPqSaNeNW2pYrTU9z125hjBVt2LC8X+mDp8vA0r8QFKpkGr1BiwviUTuXsSO1IXn3nHfDGsHQqFQ==,iv:q3pCcil1wiKe5xC6QEn3Q4wV1icW+3CCUQw6QZIINWU=,tag:XvBfIEORfdTcUihtcJQZVg==,type:str]
+ssh_keys:
+    kylekrein-mac: ENC[AES256_GCM,data:Gnh34OQWO6eQfNfyYZsVfvktknmZorQYF+lNMKYvV7XkKjZ3RQNHyJ3UWOX+sVwWdtF7EboXkBPdHvnyLvDVIyv7trxTU5IXQzOI+34AKfPHa828HuOLk0AclCmm6GcNq/X4dKTX5DADG4cE4/V+KtdjvSMtLX7I1cjlfsN7JzcsnjERbK8Q0pTMuA44IUdnh0odH9xFEP/f/hVZZZhc5vrMfAqSx3lQxCF62c0wJaorobsPSM7BTzorVgnMnc3zJRAlgQnCnAe306/6g4hurBteIVeGFhA8gSk1fjZh2fm0opo/lgvHRJOwfpvRWJGEedx7hEpjsDr8BRxeBc2OHaRO5UP+fYh8Qtki8ZeFUjr/psjRRz128Kr0C+NS0AByZtwg54d705uwsnf79jPdM1ewGryCcsxqYWCvT0174cIg3sLdQvPnESbV1zU+QsVskFZwYL+gLtzuAwExPW7cM12M/HS+Eb5xtWvRA46FZ/dnKFwQkUA/VgSi08eC5/EYg8dFBht9hDK+kiLPGHML8A6a3CoiMf0pd+DbdOxA21F0Tw==,iv:oEXxrvWosuiH2wSoSkP7YMwBQu3JKIhn/YeiaTL/UT4=,tag:XgBw2q/6LPWg2zuOC9Wb+w==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -16,8 +18,8 @@ sops:
             M0hSNWNYbGM3a21McUVMaGNqWTdmNTQK3VRFV4EaC8K8AJi2PUt6TeBgueEmPLI8
             Vdwwbh89+xD5xf4Zm0LctPRlxxM6diubv0gIZZPy/ZXZfiU32ZnM0w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-19T00:21:29Z"
-    mac: ENC[AES256_GCM,data:B/sJ9L4aeDm4n+JIRrnjwRF8tbveuH85Y55pzy3lBvub+VF+mv/4PCyRWR8Upi1HWDqKQjN3yEo2+Px8e24csD7kyyirwFuYcbwNslEG4gm1uffx34sP3G+8bmEoLO76tbHrsMIkWTAQl3rmDOcNvVqzVq8KwGQSA2+3gO4d1+o=,iv:f0lOEBfvcsL5WQMz4Le2mu15IGsYFfE4OIUfnno0xXY=,tag:SusRIyzZlqbDbUN2BgvB8w==,type:str]
+    lastmodified: "2025-01-12T15:24:10Z"
+    mac: ENC[AES256_GCM,data:nN6b/GItToa87P08ZzkCRMjWX2Hw0jTL73QsWp0T+yAwI3n4BPeeJcuTQrh5zhL6BE87ZN83NQtAotaeRClnKw7x7FKspbKj9bVuExNEV0N9/ivN4l165R4/I8xtFQoJ+BHzA36iGbgXNemhaRexlR07KuOOtNnSNoYYT/FV9Do=,iv:voJusWPg1cw5Z/R5Jk3rQTELGyUcWi4Y+QhNLsD8+DQ=,tag:GoWKU8qgK81p8eqwKmIj6Q==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.2
diff --git a/nixos/users/kylekrein/default.nix b/nixos/users/kylekrein/default.nix
index cb9a7c1..5331bd5 100644
--- a/nixos/users/kylekrein/default.nix
+++ b/nixos/users/kylekrein/default.nix
@@ -1,28 +1,50 @@
-{ pkgs, config, lib, hwconfig, inputs, first-nixos-install, ... }:
-let username = "kylekrein";
-in
 {
-    imports = [
-    ];
-    users.users.${username} = {
-	    isNormalUser = true;
-	    description = "Aleksandr Lebedev";
-	    extraGroups = [ "networkmanager" "wheel" ];
-	    #initialPassword = "1234";
-	    hashedPasswordFile = config.sops.secrets."users/${username}".path;
-	    packages = with pkgs; [];
-    };
-    sops.secrets = {
-	"users/${username}" = {
-	    neededForUsers = true;
-	};
-    };
+  pkgs,
+  config,
+  lib,
+  hwconfig,
+  inputs,
+  first-nixos-install,
+  ...
+}: let
+  username = "kylekrein";
+in {
+  imports = [
+  ];
+  users.users.${username} = {
+    isNormalUser = true;
+    description = "Aleksandr Lebedev";
+    extraGroups = ["networkmanager" "wheel"];
+    #initialPassword = "1234";
+    hashedPasswordFile = config.sops.secrets."users/${username}".path;
+    packages = with pkgs; [];
 
-    home-manager.users."${username}" = import ../../home.nix { inherit lib; inherit username; inherit inputs; inherit first-nixos-install; inherit hwconfig; inherit config; inherit pkgs; };
-    kylekrein.services.autoUpgrade = {
-	configDir = lib.mkForce "/home/${username}/nixos-config";
-	user = lib.mkForce username;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMt3PWVvmEL6a0HHTsxL4KMq1UGKFdzgX5iIkm6owGQ kylekrein@kylekrein-mac"
+    ];
+  };
+  sops.secrets = {
+    "users/${username}" = {
+      neededForUsers = true;
     };
-    programs.nh.flake = lib.mkForce "/home/${username}/nixos-config";
-    systemd.tmpfiles.rules = (if hwconfig.useImpermanence then ["d /persist/home/${username} 0700 ${username} users -"] else []); # /persist/home/<user> created, owned by that user
+  };
+
+  home-manager.users."${username}" = import ../../home.nix {
+    inherit lib;
+    inherit username;
+    inherit inputs;
+    inherit first-nixos-install;
+    inherit hwconfig;
+    inherit config;
+    inherit pkgs;
+  };
+  kylekrein.services.autoUpgrade = {
+    configDir = lib.mkForce "/home/${username}/nixos-config";
+    user = lib.mkForce username;
+  };
+  programs.nh.flake = lib.mkForce "/home/${username}/nixos-config";
+  systemd.tmpfiles.rules =
+    if hwconfig.useImpermanence
+    then ["d /persist/home/${username} 0700 ${username} users -"]
+    else []; # /persist/home/<user> created, owned by that user
 }