misc: initial commit

nixos/hardening.nix

@@ -0,0 +1,23 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  nix.settings.allowed-users = ["@wheel"];
+  security.sudo.execWheelOnly = true;
+  services.openssh = {
+    allowSFTP = false;
+    settings = {
+      ChallengeResponseAuthentication = false;
+      PasswordAuthentication = false;
+    };
+    extraConfig = ''
+      AllowTcpForwarding yes
+      X11Forwarding no
+      AllowAgentForwarding no
+      AllowStreamLocalForwarding no
+      AuthenticationMethods publickey
+    '';
+  };
+}