# Key-only SSH hardening, imported by the hosts that run sshd (T400, Mac Pro).
# The host config still does `services.openssh.enable = true` and opens port 22
# next to where it documents the listening service; this module only tightens
# the policy and installs the authorized key, so a host opting into sshd cannot
# accidentally ship password/root login.
{ username, ... }:
{
  services.openssh.settings = {
    PasswordAuthentication = false; # keys only
    KbdInteractiveAuthentication = false; # no keyboard-interactive fallback
    PermitRootLogin = "no";
  };

  # The key permitted to log in as the primary user. Add more entries here as
  # new client machines are provisioned.
  users.users.${username}.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDxHvdMTOzpFWUFMtCP7C/4tIOUO3GIO2QPvaifSnWH lyrathorpe@Lyra-MBA"
  ];
}