system/modules/ssh.nix

# Key-only SSH hardening, imported by the hosts that run sshd (T400, Mac Pro).
# The host config still does `services.openssh.enable = true` and opens port 22
# next to where it documents the listening service; this module only tightens
# the policy and installs the authorized key, so a host opting into sshd cannot
# accidentally ship password/root login.
{ username, ... }:
{
  services.openssh.settings = {
    PasswordAuthentication = false; # keys only
    KbdInteractiveAuthentication = false; # no keyboard-interactive fallback
    PermitRootLogin = "no";
  };

  # The key permitted to log in as the primary user. Add more entries here as
  # new client machines are provisioned.
  users.users.${username}.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDxHvdMTOzpFWUFMtCP7C/4tIOUO3GIO2QPvaifSnWH lyrathorpe@Lyra-MBA"
  ];
}
feat(nixos): key-only sshd hardening on T400 and Mac Pro 2026-06-10 16:22:12 +01:00			`# Key-only SSH hardening, imported by the hosts that run sshd (T400, Mac Pro).`
			# The host config still does `services.openssh.enable = true` and opens port 22
			`# next to where it documents the listening service; this module only tightens`
			`# the policy and installs the authorized key, so a host opting into sshd cannot`
			`# accidentally ship password/root login.`
			`{ username, ... }:`
			`{`
			`services.openssh.settings = {`
			`PasswordAuthentication = false; # keys only`
			`KbdInteractiveAuthentication = false; # no keyboard-interactive fallback`
			`PermitRootLogin = "no";`
			`};`

			`# The key permitted to log in as the primary user. Add more entries here as`
			`# new client machines are provisioned.`
			`users.users.${username}.openssh.authorizedKeys.keys = [`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDxHvdMTOzpFWUFMtCP7C/4tIOUO3GIO2QPvaifSnWH lyrathorpe@Lyra-MBA"`
			`];`
			`}`