add global hardening options

common/default.nix

@@ -5,5 +5,6 @@
     ./raito-proxy-aware-nginx.nix
     ./base-server.nix
     ./sysadmin
+    ./hardening.nix
   ];
 }

common/hardening.nix

@@ -0,0 +1,23 @@
+{ config, lib, ... }:
+
+{
+  nix.settings.allowed-users = [ "root" ];
+
+  boot.specialFileSystems = lib.mkIf (!config.security.rtkit.enable && !config.security.polkit.enable) {
+    "/proc".options = [ "hidepid=2" ];
+  };
+
+  boot.kernel.sysctl."kernel.dmesg_restrict" = 1;
+
+  services.openssh = {
+    settings.PasswordAuthentication = false;
+    settings.KbdInteractiveAuthentication = false;
+
+    # prevents mutable /home/$user/.ssh/authorized_keys from being loaded to ensure that all user keys are config managed
+    authorizedKeysFiles = lib.mkForce [
+      "/etc/ssh/authorized_keys.d/%u"
+    ];
+  };
+
+  users.mutableUsers = false;
+}