feat: harden openssh settings

nixos/configuration.nix

@@ -30,6 +30,7 @@
     ./services/mastodon.nix
     ./services/microboard.nix
     ./services/nextcloud.nix
+    ./services/openssh.nix
     ./services/phoenix.nix
     ./services/prosody.nix
     ./services/ss.nix
@@ -80,12 +81,6 @@
     deluged
   ];
 
-  # Enable the OpenSSH daemon.
-  services.openssh = {
-    enable = true;
-    settings.PasswordAuthentication = false;
-  };
-
   powerManagement.powertop.enable = true;
 
   system.stateVersion = "22.11";

nixos/services/openssh.nix

@@ -0,0 +1,14 @@
+{ config, ... }:
+{
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+      AllowUsers = [
+        "lumin"
+        "forgejo"
+      ];
+    };
+  };
+}