backwards: Add authorized ssh key for pinwheel

hosts/backwards/modules/ssh/default.nix

@@ -1,7 +1,8 @@
-{ lib, config, ... }:
+{ pkgs, lib, config, ... }:
 let
   enabled = config.mod.ssh.enable;
 
+  authorizedKeysPath = "/home/alex/.ssh/authorized-keys";
   rootSSHKeyPath = "/etc/ssh";
 in
 {
@@ -25,6 +26,16 @@ in
       };
     };
 
+    environment.etc."ssh/authorized_keys_command" = {
+      mode = "0755";
+      text = ''
+        #!${pkgs.bash}/bin/bash
+        for file in ${authorizedKeysPath}/*; do
+          ${pkgs.coreutils}/bin/cat "$file"
+        done
+      '';
+    };
+
     services = {
       openssh = {
         enable = true;
@@ -34,6 +45,14 @@ in
           path = "${rootSSHKeyPath}/root.backwards";
           type = "ed25519";
         }];
+
+        settings = {
+          PasswordAuthentication = false;
+          KbdInteractiveAuthentication = false;
+        };
+
+        authorizedKeysCommand = "/etc/ssh/authorized_keys_command";
+        authorizedKeysCommandUser = "root";
       };
     };
 
@@ -53,6 +72,11 @@ in
         path = "${rootSSHKeyPath}/root.backwards.pub";
       };
 
+      "alex.pinwheel-backwards.pub" = {
+        file = ../../../../secrets/pinwheel/alex.pinwheel-backwards.pub.age;
+        path = "${authorizedKeysPath}/alex.pinwheel-backwards.pub";
+      };
+
       "alex.backwards-codeberg.org" = {
         file = ../../../../secrets/backwards/alex.backwards-codeberg.org.age;
         path = "/home/alex/.ssh/alex.backwards-codeberg.org";