diff --git a/nixos/modules/100tb.nix b/nixos/modules/100tb.nix
index ec4bf66579d4d9b89065f02df3ee454f5b647294..1bcb6ba176714ca3cfa5c527450dd9a3bc60684d 100644
--- a/nixos/modules/100tb.nix
+++ b/nixos/modules/100tb.nix
@@ -69,11 +69,6 @@ let
       example = lib.literalExample "wwn-0x5000c500936410b9";
       description = "The ID of the disk on which to install grub.";
     };
-    rootPublicKey = lib.mkOption
-    { type = lib.types.str;
-      example = lib.literalExample "ssh-ed25519 AAAA... username@host";
-      description = "The public key to install for the root user.";
-    };
   };
 in {
   # Here we actually define the module's options.  They're what we said they
@@ -112,11 +107,6 @@ in {
 
     boot.loader.timeout = 1;
     networking.firewall.enable = false;
-    services.openssh.enable = true;
-
-    users.users.root.openssh.authorizedKeys.keys = [
-      cfg.rootPublicKey
-    ];
 
     networking.hostId = cfg.hostId;
     networking.dhcpcd.enable = false;
diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index 3e1e90d8b775f908755e3f7ce05dcf61b09e4bcd..7654bf1fc7082afcdc2056a9373deea89bdc4f19 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -5,6 +5,11 @@
   zkapissuer = pspkgs.callPackage ../pkgs/zkapissuer.nix { };
   cfg = config.services.private-storage-issuer;
 in {
+  imports = [
+    # Give it a good SSH configuration.
+    ../../nixos/modules/ssh.nix
+  ];
+
   options = {
     services.private-storage-issuer.enable = lib.mkEnableOption "PrivateStorage ZKAP Issuer Service";
     services.private-storage-issuer.package = lib.mkOption {
diff --git a/nixos/modules/private-storage.nix b/nixos/modules/private-storage.nix
index cc73d3720e656633f7d4be4195e08d11b911c074..cada491e04a49ce1e4931b58ffae6527f8cf77c5 100644
--- a/nixos/modules/private-storage.nix
+++ b/nixos/modules/private-storage.nix
@@ -30,6 +30,8 @@ in
   ];
 
   imports = [
+    # Give it a good SSH configuration.
+    ./ssh.nix
     # Load our tahoe-lafs module.  It is configurable in the way I want it to
     # be configurable.
     ./tahoe.nix
diff --git a/nixos/modules/ssh.nix b/nixos/modules/ssh.nix
new file mode 100644
index 0000000000000000000000000000000000000000..497efdf7ace456cb656baa4448b2650316e7d98b
--- /dev/null
+++ b/nixos/modules/ssh.nix
@@ -0,0 +1,25 @@
+# A NixOS module which configures SSH access to a system.
+{
+  lib,
+  config,
+  ...
+}: {
+  options = {
+  };
+  config =
+  let
+    cfg = config."private-storage".config;
+  in {
+    # An attempt at a properly secure SSH configuration.  This is informed by
+    # personal experience as well as various web resources:
+    #
+    # https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
+    services.openssh = {
+      enable = true;
+    };
+
+    users.users.root.openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4GenAY/YLGuf1WoMXyyVa3S9i4JLQ0AG+pt7nvcLlQ exarkun@baryon"
+    ];
+  };
+}
diff --git a/nixos/modules/tests/private-storage.nix b/nixos/modules/tests/private-storage.nix
index 1fe55c1302b35aeb9e5645bbc1cb60053fc6e97c..08a3e0d5954fef0335b50f902e02ede47cda62ec 100644
--- a/nixos/modules/tests/private-storage.nix
+++ b/nixos/modules/tests/private-storage.nix
@@ -165,6 +165,12 @@ import <nixpkgs/nixos/tests/make-test.nix> {
       # Start booting all the VMs in parallel to speed up operations down below.
       startAll;
 
+      # The issuer and the storage server should accept SSH connections.  This
+      # doesn't prove it is so but if it fails it's a pretty good indication
+      # it isn't so.
+      $storage->waitForOpenPort(22);
+      $issuer->waitForOpenPort(22);
+
       # Set up a Tahoe-LAFS introducer.
       $introducer->copyFileFromHost(
           '${pemFile}',