From abc6d28f4ef01a5308ee7b548356db009ca1d297 Mon Sep 17 00:00:00 2001
From: Artem Sheremet <dot.doom@gmail.com>
Date: Fri, 27 Mar 2026 20:46:55 +0000
Subject: [PATCH] Add sshd module

---
 flake.nix        |  1 +
 modules/sshd.nix | 16 ++++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 modules/sshd.nix

diff --git a/flake.nix b/flake.nix
index 3294e88..79bdc23 100644
--- a/flake.nix
+++ b/flake.nix
@@ -27,6 +27,7 @@
         nix-gc = import ./modules/nix-gc.nix;
         futureware = import ./modules/futureware.nix;
         tools = import ./modules/tools.nix;
+        sshd = import ./modules/sshd.nix;
       };
 
       lib.pre-commit = import ./pre-commit.nix;
diff --git a/modules/sshd.nix b/modules/sshd.nix
new file mode 100644
index 0000000..2a89380
--- /dev/null
+++ b/modules/sshd.nix
@@ -0,0 +1,16 @@
+_: {
+  services.openssh = {
+    enable = true;
+    settings.PasswordAuthentication = false;
+    settings.KbdInteractiveAuthentication = false;
+    hostKeys = [
+      # Generate a key if it's missing, which is normal at first boot, but can
+      # also be a TPM failure for PCs with a TPM.
+      # Do not generate an RSA key.
+      {
+        path = "/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+    ];
+  };
+}