diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml
index 3d51189..9ae1e1e 100644
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@@ -29,7 +29,7 @@ jobs:
           mkdir -p ~/.ssh
           echo "$DEPLOY_KEY" > ~/.ssh/id_ed25519
           chmod 600 ~/.ssh/id_ed25519
-          ssh-keyscan -H cryodev.xyz >> ~/.ssh/known_hosts
+          ssh-keyscan -p 2299 -H cryodev.xyz >> ~/.ssh/known_hosts
 
       - name: Deploy with deploy-rs
         run: nix run github:serokell/deploy-rs -- -s .#cryodev-main
diff --git a/flake.nix b/flake.nix
index 0dba405..1e759b1 100644
--- a/flake.nix
+++ b/flake.nix
@@ -123,6 +123,10 @@
         nodes = {
           cryodev-main = {
             hostname = constants.domain;
+            sshOpts = [
+              "-p"
+              "2299"
+            ];
             profiles.system = {
               user = "root";
               path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.cryodev-main;
diff --git a/users/steffen/pubkeys/forgejo-deploy.pub b/hosts/cryodev-main/deploy-key.pub
similarity index 100%
rename from users/steffen/pubkeys/forgejo-deploy.pub
rename to hosts/cryodev-main/deploy-key.pub
diff --git a/hosts/cryodev-main/services/openssh.nix b/hosts/cryodev-main/services/openssh.nix
index f71c084..db9a56a 100644
--- a/hosts/cryodev-main/services/openssh.nix
+++ b/hosts/cryodev-main/services/openssh.nix
@@ -9,4 +9,9 @@
   ];
 
   services.openssh.enable = true;
+
+  # Root SSH key for deploy-rs (key-only, no password)
+  users.users.root.openssh.authorizedKeys.keyFiles = [
+    ../deploy-key.pub
+  ];
 }
diff --git a/hosts/cryodev-main/users.nix b/hosts/cryodev-main/users.nix
index a198c5a..2703ead 100644
--- a/hosts/cryodev-main/users.nix
+++ b/hosts/cryodev-main/users.nix
@@ -4,5 +4,7 @@
   imports = [
     outputs.nixosModules.normalUsers
     ../../users/steffen
+    ../../users/ralph
+    ../../users/benjamin
   ];
 }
diff --git a/hosts/cryodev-pi/users.nix b/hosts/cryodev-pi/users.nix
index 3570761..a198c5a 100644
--- a/hosts/cryodev-pi/users.nix
+++ b/hosts/cryodev-pi/users.nix
@@ -4,6 +4,5 @@
   imports = [
     outputs.nixosModules.normalUsers
     ../../users/steffen
-    ../../users/cryotherm
   ];
 }
diff --git a/modules/nixos/openssh/default.nix b/modules/nixos/openssh/default.nix
index 0958445..00f05c1 100644
--- a/modules/nixos/openssh/default.nix
+++ b/modules/nixos/openssh/default.nix
@@ -9,7 +9,7 @@ in
     ports = mkDefault [ 2299 ];
     openFirewall = mkDefault true;
     settings = {
-      PermitRootLogin = mkDefault "no";
+      PermitRootLogin = mkDefault "prohibit-password";
       PasswordAuthentication = mkDefault false;
     };
   };
diff --git a/templates/generic-server/users.nix b/templates/generic-server/users.nix
index 3570761..12ca230 100644
--- a/templates/generic-server/users.nix
+++ b/templates/generic-server/users.nix
@@ -3,7 +3,7 @@
 {
   imports = [
     outputs.nixosModules.normalUsers
-    ../../users/steffen
-    ../../users/cryotherm
+    # Add users here, e.g.:
+    # ../../users/<username>
   ];
 }
diff --git a/templates/raspberry-pi/users.nix b/templates/raspberry-pi/users.nix
index 3570761..12ca230 100644
--- a/templates/raspberry-pi/users.nix
+++ b/templates/raspberry-pi/users.nix
@@ -3,7 +3,7 @@
 {
   imports = [
     outputs.nixosModules.normalUsers
-    ../../users/steffen
-    ../../users/cryotherm
+    # Add users here, e.g.:
+    # ../../users/<username>
   ];
 }
diff --git a/users/benjamin/default.nix b/users/benjamin/default.nix
new file mode 100644
index 0000000..d00df64
--- /dev/null
+++ b/users/benjamin/default.nix
@@ -0,0 +1,11 @@
+{
+  normalUsers.benjamin = {
+    extraGroups = [
+      "wheel"
+    ];
+    sshKeyFiles = [
+      # TODO: Add benjamin's public key
+      # ./pubkeys/benjamin.pub
+    ];
+  };
+}
diff --git a/users/cryotherm/default.nix b/users/cryotherm/default.nix
deleted file mode 100644
index 7de4740..0000000
--- a/users/cryotherm/default.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{
-  normalUsers.cryotherm = {
-    extraGroups = [ ];
-    # No sshKeyFiles, so password login only (if allowed) or local access
-    sshKeyFiles = [ ];
-  };
-}
diff --git a/users/ralph/default.nix b/users/ralph/default.nix
new file mode 100644
index 0000000..f43dd0d
--- /dev/null
+++ b/users/ralph/default.nix
@@ -0,0 +1,11 @@
+{
+  normalUsers.ralph = {
+    extraGroups = [
+      "wheel"
+    ];
+    sshKeyFiles = [
+      # TODO: Add ralph's public key
+      # ./pubkeys/ralph.pub
+    ];
+  };
+}
diff --git a/users/steffen/default.nix b/users/steffen/default.nix
index f58a45f..a7503e9 100644
--- a/users/steffen/default.nix
+++ b/users/steffen/default.nix
@@ -5,9 +5,6 @@
     extraGroups = [
       "wheel"
     ];
-    sshKeyFiles = [
-      ./pubkeys/X670E.pub
-      ./pubkeys/forgejo-deploy.pub
-    ];
+    sshKeyFiles = [ ./pubkeys/X670E.pub ];
   };
 }