Restricted SSH access

modules/nixos/ssh.nix

@@ -9,19 +9,24 @@ in
     enable = mkEnableOption "ssh";
   };
   config = mkIf cfg.enable {
-    services.openssh.enable = true;
-    # TODO: Is this default configuration secure?
-
-    services.openssh.hostKeys = mkIf (config.modules.impermanence.enable) [
-      {
-        type = "ed25519";
-        path = "/persist/system/etc/ssh/ssh_host_ed25519_key";
-      }
-      {
-        type = "rsa";
-        bits = 4096;
-        path = "/persist/system/etc/ssh/ssh_host_rsa_key";
-      }
-    ];
+    services.openssh = {
+      enable = true;
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitRootLogin = "no";
+      };
+      hostKeys = mkIf (config.modules.impermanence.enable) [
+        {
+          type = "ed25519";
+          path = "/persist/system/etc/ssh/ssh_host_ed25519_key";
+        }
+        {
+          type = "rsa";
+          bits = 4096;
+          path = "/persist/system/etc/ssh/ssh_host_rsa_key";
+        }
+      ];
+    };
   };
 }

profiles/nixos/vm.nix

@@ -33,7 +33,8 @@ in
     };
 
     # Local user
-    sops.secrets."ssh-keys/admin-pub" = { };
+    modules.secrets.secrets."ssh-keys/admin-pub" = { };
+    modules.secrets.secrets."passwords/local-hashed".neededForUsers = true;
     services.getty.autologinUser = "local";
     security.sudo.extraRules = [
       {
@@ -43,6 +44,7 @@ in
     ];
     users.mutableUsers = false;
     users.users.local = {
+      hashedPasswordFile = config.sops.secrets."passwords/local-hashed".path;
       extraGroups = [ "wheel" ];
       openssh.authorizedKeys.keyFiles = [
         config.sops.secrets."ssh-keys/admin-pub".path