From f28d05e24eee55396773f165b40d374be795f414 Mon Sep 17 00:00:00 2001
From: teutat3s <teutates@mailbox.org>
Date: Wed, 5 Oct 2022 11:57:51 +0200
Subject: [PATCH 1/2] Change user.publicKeys to a SSH keys string list

---
 modules/user/default.nix       | 2 +-
 profiles/base-user/default.nix | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/user/default.nix b/modules/user/default.nix
index 2fd5958e..7c869380 100644
--- a/modules/user/default.nix
+++ b/modules/user/default.nix
@@ -23,7 +23,7 @@ in
       };
       publicKeys = mkOption {
         description = "User SSH public keys";
-        type = types.listOf types.path;
+        type = types.listOf types.str;
         default = [ ];
       };
       fullName = mkOption {
diff --git a/profiles/base-user/default.nix b/profiles/base-user/default.nix
index 9ff21c8e..374dca40 100644
--- a/profiles/base-user/default.nix
+++ b/profiles/base-user/default.nix
@@ -25,7 +25,7 @@ in
       ];
       initialHashedPassword = if psCfg.user.password != null then psCfg.user.password else "";
       shell = pkgs.zsh;
-      openssh.authorizedKeys.keyFiles = if psCfg.user.publicKeys != null then psCfg.user.publicKeys else [ ];
+      openssh.authorizedKeys.keys = if psCfg.user.publicKeys != null then psCfg.user.publicKeys else [ ];
     };
   };
 }

From d43bd8058058f7d3231b4422997e9a11eb03385b Mon Sep 17 00:00:00 2001
From: teutat3s <teutates@mailbox.org>
Date: Wed, 5 Oct 2022 11:58:26 +0200
Subject: [PATCH 2/2] core: disable SSH passwordAuthentication by default

---
 modules/core/services.nix    | 1 +
 modules/paranoia/default.nix | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/core/services.nix b/modules/core/services.nix
index 41aa45e5..6ce74472 100644
--- a/modules/core/services.nix
+++ b/modules/core/services.nix
@@ -7,6 +7,7 @@
     # If you don't want the host to have SSH actually opened up to the net,
     # set `services.openssh.openFirewall` to false in your config.
     openFirewall = lib.mkDefault true;
+    passwordAuthentication = false;
   };
 
   # Service that makes Out of Memory Killer more effective
diff --git a/modules/paranoia/default.nix b/modules/paranoia/default.nix
index 75275a11..2dc439cf 100644
--- a/modules/paranoia/default.nix
+++ b/modules/paranoia/default.nix
@@ -39,7 +39,6 @@ in
     # fileSystems."/".options = [ "noexec" ];
 
     services.openssh = {
-      passwordAuthentication = false;
       kbdInteractiveAuthentication = false;
       extraConfig = ''
         AllowTcpForwarding yes