From 424ba823990502a14fda28a75bd870f2929c4ef5 Mon Sep 17 00:00:00 2001
From: DannyDannyDanny <dth@taiga.ai>
Date: Sun, 8 Mar 2026 12:05:25 +0100
Subject: [PATCH] feat(sunken-ship): pwless ssh access :lock::sparkles:

---
 nixos/hosts/sunken-ship.nix | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/nixos/hosts/sunken-ship.nix b/nixos/hosts/sunken-ship.nix
index 3f83aa0..2732679 100644
--- a/nixos/hosts/sunken-ship.nix
+++ b/nixos/hosts/sunken-ship.nix
@@ -42,10 +42,21 @@ in
     isNormalUser = true;
     extraGroups = [ "wheel" "video" ];  # video: backlight control via light(1)
     # SSH keys: push via scp, don't commit. NixOS does not manage authorized_keys so scp'd keys persist.
-    # Example: scp ~/.ssh/id_*_github.pub danny@server:/tmp/ then on server: mkdir -p ~/.ssh; cat /tmp/*.pub >> ~/.ssh/authorized_keys
+    # Example: scp ~/.ssh/id_ed25519_sunken_ship.pub danny@server:/tmp/ then on server: mkdir -p ~/.ssh; cat /tmp/*.pub >> ~/.ssh/authorized_keys
   };
 
-  services.openssh.enable = true;
+  # Key-only auth; no password or keyboard-interactive.
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+    };
+    # Optionally restrict to LAN: settings.ListenAddress = "10.0.0.1"; or similar.
+  };
+
+  # Passwordless sudo for wheel.
+  security.sudo.wheelNeedsPassword = false;
   environment.systemPackages = [ pkgs.git ];  # for clone/bootstrap and timer
 
   # Pull dotfiles and rebuild if the repo has new commits.