fix(ssh): enable key-based root login and use FQDNs for system services

Fixes backup system authentication and hostname resolution issues. Changes: - Change PermitRootLogin from "no" to "prohibit-password" in global SSH config (allows key-based root login for host-to-host backups while blocking passwords) - Update fuchsia onsite backup to use viridian.home.arpa FQDN instead of shortname - Update SSH knownHosts to use FQDNs (fuchsia.home.arpa, viridian.home.arpa) (system-level config uses FQDNs, user shortcuts remain in home-manager) This enables the complete 3-2-1 backup strategy with automated backups working correctly between fuchsia and viridian, and fuchsia to BorgBase.
2025-10-07 23:11:31 +08:00 · 2025-10-07 23:11:31 +08:00 · 8874c88fbc
commit 8874c88fbc
parent 6723c0e0b6
4 changed files with 12 additions and 12 deletions
--- a/nixos/common/global/ssh.nix
+++ b/nixos/common/global/ssh.nix
@ -6,12 +6,12 @@
    enable = true;

    settings = {
-      PermitRootLogin = "no";           # Disable root login for security
-      PasswordAuthentication = false;   # Require key-based authentication
-      LogLevel = "VERBOSE";             # Enhanced logging for security auditing
+      PermitRootLogin = "prohibit-password";  # Allow root login with keys only
+      PasswordAuthentication = false;         # Require key-based authentication
+      LogLevel = "VERBOSE";                   # Enhanced logging for security auditing
    };

-    ports = [22];                       # Standard SSH port
-    openFirewall = true;                # Allow SSH through firewall
+    ports = [22];                             # Standard SSH port
+    openFirewall = true;                      # Allow SSH through firewall
  };
 }