{ config, lib, ... }:

{
  nix.settings.allowed-users = [ "root" ];

  boot.specialFileSystems = lib.mkIf (!config.security.rtkit.enable && !config.security.polkit.enable) {
    "/proc".options = [ "hidepid=2" ];
  };

  boot.kernel.sysctl."kernel.dmesg_restrict" = 1;

  services.openssh = {
    settings.PasswordAuthentication = false;
    settings.KbdInteractiveAuthentication = false;

    # prevents mutable /home/$user/.ssh/authorized_keys from being loaded to ensure that all user keys are config managed
    authorizedKeysFiles = lib.mkForce [
      "/etc/ssh/authorized_keys.d/%u"
    ];
  };

  users.mutableUsers = false;
}