Only allow admins to login to hardened hosts.

config/instance.nix

@@ -12,7 +12,7 @@ with lib;
     host-user-list = host.local-users;
     domain-user-list = config.fudo.domains."${local-domain}".local-users;
     site-user-list = config.fudo.sites."${local-site}".local-users;
-    local-users =
+    all-users =
       getAttrs (host-user-list ++ domain-user-list ++ site-user-list) config.fudo.users;
 
     host-admin-list = host.local-admins;
@@ -39,6 +39,11 @@ with lib;
 
     host-fqdn = "${config.instance.hostname}.${local-domain}";
 
+    local-users =
+      if (host.hardened) then
+        local-admins
+      else all-users;
+
   in {
     instance = {
       inherit