From 0cf53a97cf67da1bcdba10119cd6999dff36f554 Mon Sep 17 00:00:00 2001
From: Jan-Bulthuis <git@bulthuis.dev>
Date: Fri, 30 May 2025 16:15:52 +0200
Subject: [PATCH] Restricted SSH access

---
 modules/nixos/ssh.nix | 33 +++++++++++++++++++--------------
 1 file changed, 19 insertions(+), 14 deletions(-)

diff --git a/modules/nixos/ssh.nix b/modules/nixos/ssh.nix
index 2740425..31a5533 100644
--- a/modules/nixos/ssh.nix
+++ b/modules/nixos/ssh.nix
@@ -9,19 +9,24 @@ in
     enable = mkEnableOption "ssh";
   };
   config = mkIf cfg.enable {
-    services.openssh.enable = true;
-    # TODO: Is this default configuration secure?
-
-    services.openssh.hostKeys = mkIf (config.modules.impermanence.enable) [
-      {
-        type = "ed25519";
-        path = "/persist/system/etc/ssh/ssh_host_ed25519_key";
-      }
-      {
-        type = "rsa";
-        bits = 4096;
-        path = "/persist/system/etc/ssh/ssh_host_rsa_key";
-      }
-    ];
+    services.openssh = {
+      enable = true;
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitRootLogin = "no";
+      };
+      hostKeys = mkIf (config.modules.impermanence.enable) [
+        {
+          type = "ed25519";
+          path = "/persist/system/etc/ssh/ssh_host_ed25519_key";
+        }
+        {
+          type = "rsa";
+          bits = 4096;
+          path = "/persist/system/etc/ssh/ssh_host_rsa_key";
+        }
+      ];
+    };
   };
 }