snowfall lib migration WIP

modules/nixos/security/users/default.nix

@@ -0,0 +1,44 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  namespace,
+  system,
+  target,
+  format,
+  virtual,
+  systems,
+  config,
+  ...
+}:
+with lib;
+with lib.${namespace}; let
+  cfg = config.${namespace}.security.users;
+in {
+  options.${namespace}.security.users = with types; {
+    enable = mkBoolOpt true "Enable security measures for users, that include immutable users, disabled root access and ssh rules";
+  };
+
+  config = mkIf cfg.enable {
+    users = {
+      mutableUsers = false;
+      users = {
+        root = {
+          # disable root login here, and also when installing nix by running nixos-install --no-root-passwd
+          # https://discourse.nixos.org/t/how-to-disable-root-user-account-in-configuration-nix/13235/3
+          hashedPassword = "!"; # disable root logins, nothing hashes to !
+        };
+      };
+    };
+    # Enable the OpenSSH daemon.
+    services.openssh = {
+      enable = true;
+      # require public key authentication for better security
+      settings.PasswordAuthentication = false;
+      settings.KbdInteractiveAuthentication = false;
+      settings.PermitRootLogin = "no";
+    };
+    networking.firewall.allowedTCPPorts = [22];
+    networking.firewall.allowedUDPPorts = [22];
+  };
+}