diff --git a/flake.nix b/flake.nix
index 7a481c8..1e759b1 100644
--- a/flake.nix
+++ b/flake.nix
@@ -128,8 +128,7 @@
               "2299"
             ];
             profiles.system = {
-              user = "steffen";
-              sshUser = "steffen";
+              user = "root";
               path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.cryodev-main;
             };
           };
diff --git a/hosts/cryodev-main/services/openssh.nix b/hosts/cryodev-main/services/openssh.nix
index f71c084..b38495e 100644
--- a/hosts/cryodev-main/services/openssh.nix
+++ b/hosts/cryodev-main/services/openssh.nix
@@ -9,4 +9,9 @@
   ];
 
   services.openssh.enable = true;
+
+  # Root SSH key for deploy-rs (key-only, no password)
+  users.users.root.openssh.authorizedKeys.keyFiles = [
+    ../../../users/steffen/pubkeys/forgejo-deploy.pub
+  ];
 }
diff --git a/modules/nixos/openssh/default.nix b/modules/nixos/openssh/default.nix
index 0958445..00f05c1 100644
--- a/modules/nixos/openssh/default.nix
+++ b/modules/nixos/openssh/default.nix
@@ -9,7 +9,7 @@ in
     ports = mkDefault [ 2299 ];
     openFirewall = mkDefault true;
     settings = {
-      PermitRootLogin = mkDefault "no";
+      PermitRootLogin = mkDefault "prohibit-password";
       PasswordAuthentication = mkDefault false;
     };
   };