From 06398f02a6a0a5638d9fb9fc4638edebd2f7ef6c Mon Sep 17 00:00:00 2001
From: Antoine Viallon <antoine@lesviallon.fr>
Date: Fri, 8 Mar 2024 23:27:30 +0100
Subject: [PATCH] [Hardening] prohibit root ssh login entirely in hardcore mode

---
 security/hardening.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/security/hardening.nix b/security/hardening.nix
index a679d06..fba0b5b 100644
--- a/security/hardening.nix
+++ b/security/hardening.nix
@@ -43,7 +43,10 @@ in
 
     security.sudo.execWheelOnly = true;
 
-    services.openssh.settings.PermitRootLogin = "prohibit-password";
+    services.openssh.settings.PermitRootLogin =
+      if cfg.hardcore then
+        "no"
+      else "prohibit-password";
 
     security.apparmor.enable = true;
     services.dbus.apparmor = "enabled";