From 9bc143805b999f514b990e3cfe9528c2fff5c286 Mon Sep 17 00:00:00 2001
From: niten <niten@fudo.org>
Date: Tue, 30 Nov 2021 10:46:38 -0800
Subject: [PATCH] Only allow admins to login to hardened hosts.

---
 config/instance.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/config/instance.nix b/config/instance.nix
index 0bdb6a7..6e04e09 100644
--- a/config/instance.nix
+++ b/config/instance.nix
@@ -12,7 +12,7 @@ with lib;
     host-user-list = host.local-users;
     domain-user-list = config.fudo.domains."${local-domain}".local-users;
     site-user-list = config.fudo.sites."${local-site}".local-users;
-    local-users =
+    all-users =
       getAttrs (host-user-list ++ domain-user-list ++ site-user-list) config.fudo.users;
 
     host-admin-list = host.local-admins;
@@ -39,6 +39,11 @@ with lib;
 
     host-fqdn = "${config.instance.hostname}.${local-domain}";
 
+    local-users =
+      if (host.hardened) then
+        local-admins
+      else all-users;
+
   in {
     instance = {
       inherit