From c923c80cbfba5fa42ac7fce048b1d4956b43aac5 Mon Sep 17 00:00:00 2001
From: Shahab Dogar <shahab@dogar.dev>
Date: Thu, 4 Sep 2025 20:21:18 +0500
Subject: [PATCH] sec: harden ssh config

---
 hosts/common/optional/services/openssh.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hosts/common/optional/services/openssh.nix b/hosts/common/optional/services/openssh.nix
index de26148..8f5a241 100644
--- a/hosts/common/optional/services/openssh.nix
+++ b/hosts/common/optional/services/openssh.nix
@@ -4,6 +4,14 @@ in {
   services.openssh = {
     enable = true;
     ports = [ sshPort ];
+
+    settings = {
+      PermitRootLogin = "no";
+      KbdInteractiveAuthentication = false;
+      PasswordAuthentication = false;
+    };
+
+    openFirewall = true;
   };
 
   networking.firewall.allowedTCPPorts = [ sshPort ];