{ config , lib , pkgs , ... }: let cfg = config.services.openssh; in { options = { services.openssh.authorizedKeysOnly = lib.mkEnableOption '' only logins using ssh keys (improving over default settings) ''; }; config = lib.mkIf cfg.enable { services.openssh = { settings = { KbdInteractiveAuthentication = lib.mkIf cfg.authorizedKeysOnly false; PasswordAuthentication = lib.mkIf cfg.authorizedKeysOnly false; }; }; }; # TODO add tests }