modules/machine/yshtola/configuration.nix

@@ -21,7 +21,11 @@
   time.timeZone = "America/Detroit";
 
   # Enable OpenSSH
-  services.openssh.enable = true;
+  services.openssh = {
+    enable = true;
+    PermitRootLogin = "no";
+    PasswordAuthentication = "no";
+  };
 
   # Enable keyring
   services.gnome.gnome-keyring.enable = true;
@@ -79,7 +83,13 @@
   };
 
   # Add username to groups "wheel" and "video" - more may be added here later
-  users.users.${userName}.extraGroups = ["wheel" "video" "network"];
+  users.users.${userName} = {
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV9eSc9L+aJLoKoexq2f/jb5rpyZnhuGiyhS8YQAbaS wyatt@wyattjmiller.com"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4WKvKnnYpTbzZHFEslOKyfiiMqWxhW3AfX6E7ACmYU wyatt@wyattjmiller.com"
+    ];
+    extraGroups = ["wheel" "video" "network"];
+  };
 
   # fail2ban
   services.fail2ban = {
@@ -109,6 +119,9 @@
         zstd_compression = true;
         new_user_displayname_suffix = "✨";
         max_request_size = 1048575600; # 100MB in bytes, for file uploads
+        database_path = "/var/lib/tuwunel";
+        database_backup_path = "/var/lib/tuwunel/database_backups";
+        database_backups_to_keep = 2;
 
         address = [
           "127.0.0.1"
@@ -128,11 +141,10 @@
           };
         };
       };
-      # TODO: figure out what goes here
     };
   };
 
-  # LiveKit (MatrixRTC)
+  # LiveKit (Matrix RTC)
   services.livekit = {
     enable = true;
     package = pkgs.livekit;
@@ -143,10 +155,10 @@
       rtc = {
         use_external_ip = true;
       };
-      # TODO: figure out what goes here
     };
   };
 
+  # Reverse proxy
   services.caddy = {
     enable = true;
     package = pkgs.caddy;