From 3b0679716d5c11c13af4c012ed26bfb50f354388 Mon Sep 17 00:00:00 2001
From: Alexander Heldt <me@alexanderheldt.se>
Date: Thu, 15 Aug 2024 18:17:51 +0200
Subject: [PATCH] backwards: Add authorized `ssh` key for `pinwheel`

---
 hosts/backwards/modules/ssh/default.nix | 26 ++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/hosts/backwards/modules/ssh/default.nix b/hosts/backwards/modules/ssh/default.nix
index b485944..2c8f954 100644
--- a/hosts/backwards/modules/ssh/default.nix
+++ b/hosts/backwards/modules/ssh/default.nix
@@ -1,7 +1,8 @@
-{ lib, config, ... }:
+{ pkgs, lib, config, ... }:
 let
   enabled = config.mod.ssh.enable;
 
+  authorizedKeysPath = "/home/alex/.ssh/authorized-keys";
   rootSSHKeyPath = "/etc/ssh";
 in
 {
@@ -25,6 +26,16 @@ in
       };
     };
 
+    environment.etc."ssh/authorized_keys_command" = {
+      mode = "0755";
+      text = ''
+        #!${pkgs.bash}/bin/bash
+        for file in ${authorizedKeysPath}/*; do
+          ${pkgs.coreutils}/bin/cat "$file"
+        done
+      '';
+    };
+
     services = {
       openssh = {
         enable = true;
@@ -34,6 +45,14 @@ in
           path = "${rootSSHKeyPath}/root.backwards";
           type = "ed25519";
         }];
+
+        settings = {
+          PasswordAuthentication = false;
+          KbdInteractiveAuthentication = false;
+        };
+
+        authorizedKeysCommand = "/etc/ssh/authorized_keys_command";
+        authorizedKeysCommandUser = "root";
       };
     };
 
@@ -53,6 +72,11 @@ in
         path = "${rootSSHKeyPath}/root.backwards.pub";
       };
 
+      "alex.pinwheel-backwards.pub" = {
+        file = ../../../../secrets/pinwheel/alex.pinwheel-backwards.pub.age;
+        path = "${authorizedKeysPath}/alex.pinwheel-backwards.pub";
+      };
+
       "alex.backwards-codeberg.org" = {
         file = ../../../../secrets/backwards/alex.backwards-codeberg.org.age;
         path = "/home/alex/.ssh/alex.backwards-codeberg.org";