nixos-framework-laptop-config/nixos/hardening.nix

{
  config,
  lib,
  pkgs,
  ...
}: {
  nix.settings.allowed-users = ["@wheel"];
  security.sudo.execWheelOnly = true;
  services.openssh = {
    allowSFTP = false;
    settings = {
      ChallengeResponseAuthentication = false;
      PasswordAuthentication = false;
    };
    extraConfig = ''
      AllowTcpForwarding yes
      X11Forwarding no
      AllowAgentForwarding no
      AllowStreamLocalForwarding no
      AuthenticationMethods publickey
    '';
  };
}