From 08e5e4d90b19232b3bd36e3b0257067c5e26ec65 Mon Sep 17 00:00:00 2001
From: Peder Bergebakken Sundt <pbsds@hotmail.com>
Date: Sun, 11 Aug 2024 03:31:04 +0200
Subject: [PATCH] users: disable password login for users in @wheel

---
 users/default.nix | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/users/default.nix b/users/default.nix
index 3d16fb4..6976943 100644
--- a/users/default.nix
+++ b/users/default.nix
@@ -1,4 +1,4 @@
-{lib, ...}:
+{lib, config, ...}:
 with lib;
 let
   # get all files in folder
@@ -17,4 +17,17 @@ in
 
   imports = makeAbsolute ./.;
 
+  services.openssh.extraConfig =
+    lib.pipe (builtins.attrNames config.users.users) [
+      (builtins.filter (uname: builtins.any (x: x) [
+        (config.users.users.${uname}.group == "wheel")
+        (builtins.elem "wheel" config.users.users.${uname}.extraGroups)
+      ]))
+      (builtins.map (uname: ''
+        Match User ${uname}
+          PasswordAuthentication no
+      ''))
+      lib.concatLines
+    ];
+
 }