2 changed files with 15 additions and 22 deletions
--- a/modules/nixos/ssh.nix
+++ b/modules/nixos/ssh.nix
@ -9,24 +9,19 @@ in
    enable = mkEnableOption "ssh";
  };
  config = mkIf cfg.enable {
-    services.openssh = {
-      enable = true;
-      settings = {
-        PasswordAuthentication = false;
-        KbdInteractiveAuthentication = false;
-        PermitRootLogin = "no";
-      };
-      hostKeys = mkIf (config.modules.impermanence.enable) [
-        {
-          type = "ed25519";
-          path = "/persist/system/etc/ssh/ssh_host_ed25519_key";
-        }
-        {
-          type = "rsa";
-          bits = 4096;
-          path = "/persist/system/etc/ssh/ssh_host_rsa_key";
-        }
-      ];
-    };
+    services.openssh.enable = true;
+    # TODO: Is this default configuration secure?
+
+    services.openssh.hostKeys = mkIf (config.modules.impermanence.enable) [
+      {
+        type = "ed25519";
+        path = "/persist/system/etc/ssh/ssh_host_ed25519_key";
+      }
+      {
+        type = "rsa";
+        bits = 4096;
+        path = "/persist/system/etc/ssh/ssh_host_rsa_key";
+      }
+    ];
  };
 }
--- a/profiles/nixos/vm.nix
+++ b/profiles/nixos/vm.nix
@ -33,8 +33,7 @@ in
    };

    # Local user
-    modules.secrets.secrets."ssh-keys/admin-pub" = { };
-    modules.secrets.secrets."passwords/local-hashed".neededForUsers = true;
+    sops.secrets."ssh-keys/admin-pub" = { };
    services.getty.autologinUser = "local";
    security.sudo.extraRules = [
      {
@ -44,7 +43,6 @@ in
    ];
    users.mutableUsers = false;
    users.users.local = {
-      hashedPasswordFile = config.sops.secrets."passwords/local-hashed".path;
      extraGroups = [ "wheel" ];
      openssh.authorizedKeys.keyFiles = [
        config.sops.secrets."ssh-keys/admin-pub".path