cryodev/modules/nixos/openssh/default.nix at 92abe2574d12fa3a3802e0a27e125f1ae9d8f49e - steffen/cryodev - Forgejo: Beyond coding. We Forge.

steffen/cryodev

steffen 92abe2574d enable root SSH key-only login for deploy-rs

- Change PermitRootLogin from 'no' to 'prohibit-password' (key-only)
- Add forgejo-deploy public key to root's authorized_keys
- Revert deploy-rs user back to root (needs root for activation)

Root can only login via SSH key, password auth remains disabled.

2026-03-14 14:13:26 +01:00

16 lines

304 B

Nix

Raw Blame History

 { lib, ... }:
 let
   inherit (lib) mkDefault;
 in
 {
   services.openssh = {
     enable = mkDefault true;
     ports = mkDefault [ 2299 ];
     openFirewall = mkDefault true;
     settings = {
       PermitRootLogin = mkDefault "prohibit-password";
       PasswordAuthentication = mkDefault false;
     };
   };
 }