tadpole: Add authorized ssh key for pinwheel

hosts/tadpole/modules/ssh/default.nix

@@ -1,6 +1,8 @@
-{ lib, config, ... }:
+{ pkgs, lib, config, ... }:
 let
   enabled = config.mod.ssh.enable;
+
+  authorizedKeysPath = "/home/alex/.ssh/authorized-keys";
 in
 {
   options = {
@@ -23,7 +25,22 @@ in
       };
     };
 
+    environment.etc."ssh/authorized_keys_command" = {
+      mode = "0755";
+      text = ''
+        #!${pkgs.bash}/bin/bash
+        for file in ${authorizedKeysPath}/*; do
+          ${pkgs.coreutils}/bin/cat "$file"
+        done
+      '';
+    };
+
     age.secrets = {
+      "alex.pinwheel-tadpole.pub" = {
+        file = ../../../../secrets/pinwheel/alex.pinwheel-tadpole.pub.age;
+        path = "${authorizedKeysPath}/alex.pinwheel-tadpole.pub";
+      };
+
       "alex.tadpole-codeberg.org" = {
         file = ../../../../secrets/tadpole/alex.tadpole-codeberg.org.age;
         path = "/home/alex/.ssh/alex.tadpole-codeberg.org";
@@ -47,6 +64,14 @@ in
           path = "/etc/ssh/tadpole";
           type = "ed25519";
         }];
+
+        settings = {
+          PasswordAuthentication = false;
+          KbdInteractiveAuthentication = false;
+        };
+
+        authorizedKeysCommand = "/etc/ssh/authorized_keys_command";
+        authorizedKeysCommandUser = "root";
       };
     };
 

secrets/secrets.nix

@@ -11,6 +11,8 @@ in {
   "pinwheel/mullvad-account-history.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-sombrero.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-sombrero.pub.age".publicKeys = [ pinwheel sombrero alex ];
+  "pinwheel/alex.pinwheel-tadpole.age".publicKeys = [ pinwheel alex ];
+  "pinwheel/alex.pinwheel-tadpole.pub.age".publicKeys = [ pinwheel tadpole alex ];
   "pinwheel/alex.pinwheel-github.com.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-github.com.pub.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-andromeda.age".publicKeys = [ pinwheel alex ];