grimm-nixos-laptop/hardening/ssh-as-sudo.nix

{ pkgs, lib, ... }:
{
  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
    settings.challengeResponseAuthentication = false;
    # settings.UsePAM = false;
    openFirewall = lib.mkDefault false;
    allowSFTP = lib.mkDefault false;
    # startWhenNeeded = true;
    extraConfig = ''
      AllowTcpForwarding yes
      X11Forwarding no
      AllowAgentForwarding no
      AllowStreamLocalForwarding no
      AuthenticationMethods publickey
    '';
  };

  users.users.root = {
    # isSystemUser = true;
    # isNormalUser = true;
    uid = 0;
    openssh.authorizedKeys.keyFiles = [ ../ssh/id_ed25519_sk.pub ];
    # home = "/root";
    hashedPassword = null;
    createHome = lib.mkForce true;
  };

  programs.ssh.startAgent = true;
  # security.sudo.enable = false;
  # services.yubikey-agent.enable = true;
}