From 074d164e955f6d5e3bd737a1469c7bd1adc52aa9 Mon Sep 17 00:00:00 2001
From: Stefan Kempinger <kempinger@ins.jku.at>
Date: Sat, 24 Jan 2026 13:50:48 +0100
Subject: [PATCH] Enable OpenSSH and allow SSH access

Enable and configure openssh service:
- enable service
- disable PasswordAuthentication and KbdInteractiveAuthentication
- set PermitRootLogin to prohibit-password (allow root keys only)
- add ed25519 public key to authorizedKeys
  Open firewall TCP port 22
---
 wohnzimmer/configuration.nix | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/wohnzimmer/configuration.nix b/wohnzimmer/configuration.nix
index ac72c4b..abb5370 100644
--- a/wohnzimmer/configuration.nix
+++ b/wohnzimmer/configuration.nix
@@ -57,6 +57,10 @@
   # Enable networking
   networking.networkmanager.enable = true;
 
+  networking.firewall.allowedTCPPorts = [
+    22
+  ];
+
   nix = {
     extraOptions = ''
       experimental-features = nix-command flakes impure-derivations ca-derivations
@@ -99,6 +103,10 @@
       "wheel"
     ];
     packages = with pkgs; [ ];
+
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGHadFhDCUU/ta3p1FQgpm7NExHkyHNrJbNJP6np5w9 kempinger@ins.jku.at"
+    ];
   };
 
   # Allow unfree packages
@@ -135,6 +143,14 @@
     enable = true;
     xwayland.enable = true;
   };
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "prohibit-password"; # Allow root with SSH keys only
+    };
+  };
 
   programs.firefox.enable = true;
   programs.fish.enable = true;