diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index fa4cb7e..579ab8b 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -5,3 +5,8 @@
     daemon_reload: yes
     enabled: yes
     state: restarted
+
+- name: restart_sshd
+  ansible.builtin.systemd:
+    name: sshd.service
+    state: restarted
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index e41a506..efac727 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -8,6 +8,7 @@
 - include: packages.yml
 - include: users.yml
 - include: nix.yml
+- include: sshd.yml
 
 - name: Disable wake on USB
   import_tasks: disable_usb_wake.yml
diff --git a/roles/common/tasks/sshd.yml b/roles/common/tasks/sshd.yml
new file mode 100644
index 0000000..e5374eb
--- /dev/null
+++ b/roles/common/tasks/sshd.yml
@@ -0,0 +1,14 @@
+---
+- name: Disable password-based SSH root login
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^PermitRootLogin'
+    line: 'PermitRootLogin prohibit-password'
+  notify: restart_sshd
+
+# - name: Disable password authentication
+#   lineinfile:
+#     path: /etc/ssh/sshd_config
+#     regexp: '^PasswordAuthentication'
+#     line: 'PasswordAuthentication no'
+#   notify: restart_sshd
diff --git a/roles/common/tasks/users.yml b/roles/common/tasks/users.yml
index b85a8aa..4161325 100644
--- a/roles/common/tasks/users.yml
+++ b/roles/common/tasks/users.yml
@@ -1,7 +1,19 @@
 ---
+- name: Sudo group
+  group:
+    name: sudo
+    state: present
+
 - name: Configure user earne
   user:
     name: earne
     comment: earnest ma
     shell: /usr/bin/zsh
     groups: docker,earne,mock,wheel
+
+- authorized_key:
+    user: earne
+    state: present
+    key: |
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClkhr7Rc2qbSEQ+MkEsD/147gb0pShJt+odxis76WRe main
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcKxz8Risfe13F+LxnUD5V1kApoxDtU7dO901SJiP6J backupk