System: Harden SSHD and authorize key

system/default.nix

@@ -8,6 +8,7 @@
   system,
   username,
   headless,
+  publicKeys,
   ...
 }:
 with mylib.networking; {
@@ -273,6 +274,10 @@ with mylib.networking; {
     ];
     shell = pkgs.fish;
 
+    openssh.authorizedKeys.keys = [
+      publicKeys.christoph.ssh
+    ];
+
     # We do this with HomeManager
     # packages = with pkgs; [];
   };
@@ -418,7 +423,9 @@ with mylib.networking; {
     };
 
     # Enable the OpenSSH daemon.
-    openssh.enable = true;
+    openssh = {
+      enable = true;
+    };
 
     # Trims the journal if too large
     journald.extraConfig = ''

system/nixinator/default.nix

@@ -176,6 +176,22 @@
       fileSystems = ["/"];
     };
 
+    # Temporarily ban IPs for SSH after failed login attempts
+    fail2ban = {
+      enable = true;
+    };
+
+    openssh = {
+      ports = [5432];
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitRootLogin = "no";
+        AllowUsers = [username];
+        LogLevel = "VERBOSE"; # For fail2ban
+      };
+    };
+
     # Keep this as a system service because we're backing up /persist as root
     # TODO: The repository gets corrupted all the time, maybe because the service runs before the repository is mounted?
     #       - Was this caused by the NFS "soft" option?