From 4d9b826d39f65ed590aa7c3429fe6968ecf004a6 Mon Sep 17 00:00:00 2001
From: Satria <admin@satr14.my.id>
Date: Sun, 15 Mar 2026 10:33:25 +0700
Subject: [PATCH] disable root password auth

---
 .forgejo/workflows/activate.yml | 2 ++
 hosts/bootstrap/config.nix      | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.forgejo/workflows/activate.yml b/.forgejo/workflows/activate.yml
index 78561f1..8d1ad80 100644
--- a/.forgejo/workflows/activate.yml
+++ b/.forgejo/workflows/activate.yml
@@ -21,6 +21,7 @@ jobs:
       - name: Rebuild
         run: |
           ssh -i ./ssh/deploy_key \
+            -o PasswordAuthentication=no \
             -o StrictHostKeyChecking=no \
             -o UserKnownHostsFile=/dev/null \
             root@localhost \
@@ -30,6 +31,7 @@ jobs:
         if: always()
         run: |
           ssh -i ./ssh/deploy_key \
+            -o PasswordAuthentication=no \
             -o StrictHostKeyChecking=no \
             -o UserKnownHostsFile=/dev/null \
             root@localhost "bash -lc 'nixos-version'"
diff --git a/hosts/bootstrap/config.nix b/hosts/bootstrap/config.nix
index 7eeca52..0e549ca 100644
--- a/hosts/bootstrap/config.nix
+++ b/hosts/bootstrap/config.nix
@@ -21,7 +21,7 @@
     tailscale.enable = true;
     openssh = {
       enable = true;
-      settings.PermitRootLogin = "yes";
+      settings.PermitRootLogin = "prohibit-password";
     };
   };
   users.users."${username}" = {