nixos/sshd: warn if no authorized keys, and no authentication method other than pubkeys, were configured

nixos/modules/services/networking/ssh/sshd.nix

@@ -108,6 +108,10 @@ let
 
   };
 
+  usersWithKeys = lib.attrValues (lib.flip lib.filterAttrs config.users.users (n: u:
+    lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0
+  ));
+
   authKeysFiles = let
     mkAuthKeyFile = u: lib.nameValuePair "ssh/authorized_keys.d/${u.name}" {
       mode = "0444";
@@ -116,9 +120,6 @@ let
         ${lib.concatMapStrings (f: lib.readFile f + "\n") u.openssh.authorizedKeys.keyFiles}
       '';
     };
-    usersWithKeys = lib.attrValues (lib.flip lib.filterAttrs config.users.users (n: u:
-      lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0
-    ));
   in lib.listToAttrs (map mkAuthKeyFile usersWithKeys);
 
   authPrincipalsFiles = let
@@ -545,6 +546,17 @@ in
 
   config = lib.mkIf cfg.enable {
 
+    warnings = lib.optional (with cfg; lib.all lib.id [
+      # ~/.ssh/authorized_keys is ignored and no custom file locations were set
+      (authorizedKeysFiles == [ "/etc/ssh/authorized_keys.d/%u" ])
+      # no command provides authorized keys
+      (authorizedKeysCommand == "none")
+      # no users have keys in declarative configuration
+      (usersWithKeys == [])
+      # no authentication methods other than public keys are configured
+      ((settings.PasswordAuthentication == false && !package.withKerberos) || settings.AuthenticationMethods == [ "publickey" ])
+    ]) "services.openssh: no keys were set in `users.users.*.openssh.authorizedKeys` and `~/.ssh/authorized_keys` will be ignored";
+
     users.users.sshd =
       {
         isSystemUser = true;