{ config, lib, pkgs, ... }: { nix.settings.allowed-users = ["@wheel"]; security.sudo.execWheelOnly = true; services.openssh = { allowSFTP = false; settings = { ChallengeResponseAuthentication = false; PasswordAuthentication = false; }; extraConfig = '' AllowTcpForwarding yes X11Forwarding no AllowAgentForwarding no AllowStreamLocalForwarding no AuthenticationMethods publickey ''; }; }