From 24c63b43757a01ff0a5e9cf22f8bf57d7eb8a1dd Mon Sep 17 00:00:00 2001
From: Felix Tenley <dev@felschr.com>
Date: Sat, 3 Oct 2020 19:13:33 +0200
Subject: [PATCH] feat(rpi4): switch to key authentication for openssh

---
 key      |  1 +
 rpi4.nix | 14 +++++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 key

diff --git a/key b/key
new file mode 100644
index 0000000..e578ca5
--- /dev/null
+++ b/key
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIINDTp/k2m9yUn8NGDpCzyX2iK9lOwe6lJR5sk19apxC openpgp:0xBBA675EA
diff --git a/rpi4.nix b/rpi4.nix
index 3fd71a1..94e8f6b 100644
--- a/rpi4.nix
+++ b/rpi4.nix
@@ -1,5 +1,6 @@
 { config, pkgs, ... }:
 
+with builtins;
 {
   imports = [
     # ./hardware/base.nix
@@ -64,12 +65,23 @@
 
   programs.zsh.enable = true;
 
-  services.openssh.enable = true;
+  services.openssh = {
+    enable = true;
+    challengeResponseAuthentication = false;
+    passwordAuthentication = false;
+    permitRootLogin = "no";
+  };
+
+  boot.initrd.network.ssh = {
+    enable = true;
+    authorizedKeys = [(readFile "./key")];
+  };
 
   users.users.felschr = {
     isNormalUser = true;
     extraGroups = [ "wheel" "audio" "disk" ];
     shell = pkgs.zsh;
+    openssh.authorizedKeys.keyFiles = [ ./key ];
   };
 
   home-manager = {