Add magic-update-script to pull container images

Enable and configure openssh service:
- enable service
- disable PasswordAuthentication and KbdInteractiveAuthentication
- set PermitRootLogin to prohibit-password (allow root keys only)
- add ed25519 public key to authorizedKeys
  Open firewall TCP port 22

heimserver/configuration.nix

@@ -310,6 +310,7 @@
 
     ignoreregex =
   '';
+  
   environment.etc."fail2ban/filter.d/forgejo.local".text = ''
     [Definition]
     # Matches: ... Failed login attempt for user ... from ip address <HOST>
@@ -319,6 +320,19 @@
     ignoreregex =
   '';
   
+  environment.etc."magic-update-script.sh".text = ''
+    #!/usr/bin/env bash
+    set -euo pipefail
+
+    echo "Pulling latest container images..."
+
+    ${lib.concatMapStringsSep "\n" (name: 
+        "docker pull ${config.virtualisation.oci-containers.containers.${name}.image}"
+    ) (builtins.attrNames config.virtualisation.oci-containers.containers)}
+
+    echo "All images updated successfully!"
+  '';
+
   # Virtualisation
   virtualisation = {
     containers.enable = true;

wohnzimmer/configuration.nix

@@ -57,6 +57,10 @@
   # Enable networking
   networking.networkmanager.enable = true;
 
+  networking.firewall.allowedTCPPorts = [
+    22
+  ];
+
   nix = {
     extraOptions = ''
       experimental-features = nix-command flakes impure-derivations ca-derivations
@@ -99,6 +103,10 @@
       "wheel"
     ];
     packages = with pkgs; [ ];
+
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGHadFhDCUU/ta3p1FQgpm7NExHkyHNrJbNJP6np5w9 kempinger@ins.jku.at"
+    ];
   };
 
   # Allow unfree packages
@@ -135,6 +143,14 @@
     enable = true;
     xwayland.enable = true;
   };
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "prohibit-password"; # Allow root with SSH keys only
+    };
+  };
 
   programs.firefox.enable = true;
   programs.fish.enable = true;