From 074d164e955f6d5e3bd737a1469c7bd1adc52aa9 Mon Sep 17 00:00:00 2001
From: Stefan Kempinger <kempinger@ins.jku.at>
Date: Sat, 24 Jan 2026 13:50:48 +0100
Subject: [PATCH 1/2] Enable OpenSSH and allow SSH access

Enable and configure openssh service:
- enable service
- disable PasswordAuthentication and KbdInteractiveAuthentication
- set PermitRootLogin to prohibit-password (allow root keys only)
- add ed25519 public key to authorizedKeys
  Open firewall TCP port 22
---
 wohnzimmer/configuration.nix | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/wohnzimmer/configuration.nix b/wohnzimmer/configuration.nix
index ac72c4b..abb5370 100644
--- a/wohnzimmer/configuration.nix
+++ b/wohnzimmer/configuration.nix
@@ -57,6 +57,10 @@
   # Enable networking
   networking.networkmanager.enable = true;
 
+  networking.firewall.allowedTCPPorts = [
+    22
+  ];
+
   nix = {
     extraOptions = ''
       experimental-features = nix-command flakes impure-derivations ca-derivations
@@ -99,6 +103,10 @@
       "wheel"
     ];
     packages = with pkgs; [ ];
+
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGHadFhDCUU/ta3p1FQgpm7NExHkyHNrJbNJP6np5w9 kempinger@ins.jku.at"
+    ];
   };
 
   # Allow unfree packages
@@ -135,6 +143,14 @@
     enable = true;
     xwayland.enable = true;
   };
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "prohibit-password"; # Allow root with SSH keys only
+    };
+  };
 
   programs.firefox.enable = true;
   programs.fish.enable = true;

From 5da7dbabfb7de55bf5c1ef291f4be0dc0944ba8a Mon Sep 17 00:00:00 2001
From: Stefan Kempinger <kempinger@ins.jku.at>
Date: Sat, 24 Jan 2026 13:51:00 +0100
Subject: [PATCH 2/2] Add magic-update-script to pull container images

---
 heimserver/configuration.nix | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/heimserver/configuration.nix b/heimserver/configuration.nix
index e9a43fb..215b331 100644
--- a/heimserver/configuration.nix
+++ b/heimserver/configuration.nix
@@ -310,6 +310,7 @@
 
     ignoreregex =
   '';
+  
   environment.etc."fail2ban/filter.d/forgejo.local".text = ''
     [Definition]
     # Matches: ... Failed login attempt for user ... from ip address <HOST>
@@ -318,6 +319,19 @@
 
     ignoreregex =
   '';
+  
+  environment.etc."magic-update-script.sh".text = ''
+    #!/usr/bin/env bash
+    set -euo pipefail
+
+    echo "Pulling latest container images..."
+
+    ${lib.concatMapStringsSep "\n" (name: 
+        "docker pull ${config.virtualisation.oci-containers.containers.${name}.image}"
+    ) (builtins.attrNames config.virtualisation.oci-containers.containers)}
+
+    echo "All images updated successfully!"
+  '';
 
   # Virtualisation
   virtualisation = {