The sudo user was stupid. Provide a password protected key for the root user, have colmena go through that. As intended.

modules/system/programs/colmena/default.nix

@@ -1,4 +0,0 @@
-{ ... }:
-{
-  deployment.targetUser = "sudo";
-}

modules/system/programs/default.nix

@@ -1,7 +1,6 @@
 { ... }:
 {
   imports = [
-    ./colmena
     ./desktops
     ./gaming
     ./git

modules/system/services/general/ssh/default.nix

@@ -5,7 +5,6 @@
   services.openssh = {
     enable = true;
     settings = {
-      AllowGroups = [ "users" ];
       AuthenticationMethods = "publickey";
       PermitEmptyPasswords = true;
       PrintLastLog = "no";

modules/system/settings/security/privilege/default.nix

@@ -3,25 +3,10 @@
   security.sudo-rs = {
     enable = true;
     execWheelOnly = true;
-    extraRules = [
-      {
-        users = [ "sudo" ];
-        commands = [
-          {
-            command = "ALL";
-            options = [ "NOPASSWD" ];
-          }
-        ];
-      }
-    ];
   };
 
-  # Create a user that has admin non-interactively
-  users.users.sudo = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [
+  # Allow root to be accessed via ssh
+  users.users.root.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN3B9Uf3h5JiD2HjF/vQ5Zx9pibMgRrlf7ZoBktev9eB Warden"
   ];
-  };
 }