diff --git a/.forgejo/workflows/activate.yml b/.forgejo/workflows/activate.yml
index 78561f1..8d1ad80 100644
--- a/.forgejo/workflows/activate.yml
+++ b/.forgejo/workflows/activate.yml
@@ -21,6 +21,7 @@ jobs:
       - name: Rebuild
         run: |
           ssh -i ./ssh/deploy_key \
+            -o PasswordAuthentication=no \
             -o StrictHostKeyChecking=no \
             -o UserKnownHostsFile=/dev/null \
             root@localhost \
@@ -30,6 +31,7 @@ jobs:
         if: always()
         run: |
           ssh -i ./ssh/deploy_key \
+            -o PasswordAuthentication=no \
             -o StrictHostKeyChecking=no \
             -o UserKnownHostsFile=/dev/null \
             root@localhost "bash -lc 'nixos-version'"
diff --git a/hosts/bootstrap/config.nix b/hosts/bootstrap/config.nix
index 7eeca52..0e549ca 100644
--- a/hosts/bootstrap/config.nix
+++ b/hosts/bootstrap/config.nix
@@ -21,7 +21,7 @@
     tailscale.enable = true;
     openssh = {
       enable = true;
-      settings.PermitRootLogin = "yes";
+      settings.PermitRootLogin = "prohibit-password";
     };
   };
   users.users."${username}" = {