hardening

common/default.nix

@@ -21,12 +21,26 @@
   ];
   programs.mtr.enable = true;
   programs.zsh.enable = true;
-  security.sudo-rs = {
+  security.sudo = {
     enable = true;
     wheelNeedsPassword = false;
+    execWheelOnly = true;
   };
   networking.firewall.enable = false;
-  services.openssh.enable = true;
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+    };
+    extraConfig = ''
+      AllowTcpForwarding yes
+      AllowAgentForwarding yes
+      AllowStreamLocalForwarding yes
+      AuthenticationMethods publickey
+    '';
+  };
+
   virtualisation.containers.enable = true;
   virtualisation = {
     podman = {

common/motd.nix

@@ -6,5 +6,6 @@ Latest news
 * Stella: Flakes now enabled
 * Stella: Web hosting now available, contact an admin to enable
 * Stella: ipv6 enabled
+* Now supports fetching your ssh key from a url, contact an admin to configure
 '';
 }