From b54217ef0af20aed690e4bd735205cbd27416ce9 Mon Sep 17 00:00:00 2001
From: Sky <i@colorsky.fun>
Date: Mon, 9 Feb 2026 08:29:55 +0000
Subject: [PATCH] ssh: require public key authentication

---
 flake.lock                    | 6 +++---
 host/macmini.nix              | 5 +++++
 modules/system/networking.nix | 6 +++++-
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/flake.lock b/flake.lock
index 266523b..3dbf09b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -108,10 +108,10 @@
     },
     "secrets": {
       "locked": {
-        "lastModified": 1769514557,
-        "narHash": "sha256-nJOWEsRw7C2hrrC9xf74oAq3dLJEXq71M2bbdO+DUpw=",
+        "lastModified": 1770625307,
+        "narHash": "sha256-kg3cWWbUBD0wPXR51vxpsRk0rlR4++qjsKELH32M70E=",
         "ref": "refs/heads/main",
-        "rev": "6aa45be13cc08dc2518b6b749df5e81975ed6df4",
+        "rev": "b46d84d1cc5b9fa6d0ca334b9b37a30dabdefec2",
         "shallow": true,
         "type": "git",
         "url": "ssh://git@git.colorsky.fun/Sky/secrets"
diff --git a/host/macmini.nix b/host/macmini.nix
index 79c34ff..e733092 100644
--- a/host/macmini.nix
+++ b/host/macmini.nix
@@ -1,5 +1,7 @@
 {
   pkgs,
+  secrets,
+  lib,
   ...
 }:
 
@@ -26,6 +28,9 @@
   i18n.defaultLocale = "en_US.UTF-8";
 
   users.users.sky = {
+    openssh.authorizedKeys.keys = [
+      (lib.readFile secrets.files.keys.nixos-wsl-pub)
+    ];
     isNormalUser = true;
     extraGroups = [ "wheel" ];
     packages = with pkgs; [
diff --git a/modules/system/networking.nix b/modules/system/networking.nix
index a9cd6c0..b797db8 100644
--- a/modules/system/networking.nix
+++ b/modules/system/networking.nix
@@ -1,6 +1,10 @@
 { ... }:
 {
-  services.openssh.enable = true;
+  services.openssh = {
+    enable = true;
+    settings.PasswordAuthentication = false;
+    settings.KbdInteractiveAuthentication = false;
+  };
 
   networking = {
     hostName = "macmini";