24 lines
635 B
Nix
24 lines
635 B
Nix
{ config, lib, ... }:
|
|
|
|
{
|
|
nix.settings.allowed-users = [ "root" ];
|
|
|
|
boot.specialFileSystems = lib.mkIf (!config.security.rtkit.enable && !config.security.polkit.enable) {
|
|
"/proc".options = [ "hidepid=2" ];
|
|
};
|
|
|
|
boot.kernel.sysctl."kernel.dmesg_restrict" = 1;
|
|
|
|
services.openssh = {
|
|
settings.PasswordAuthentication = false;
|
|
settings.KbdInteractiveAuthentication = false;
|
|
|
|
# prevents mutable /home/$user/.ssh/authorized_keys from being loaded to ensure that all user keys are config managed
|
|
authorizedKeysFiles = lib.mkForce [
|
|
"/etc/ssh/authorized_keys.d/%u"
|
|
];
|
|
};
|
|
|
|
users.mutableUsers = false;
|
|
}
|