Remove CVE-2024-6387 ssh workaround

defaults/base-minimal/default.nix

@@ -52,21 +52,26 @@
 
   # Package management
   nix = {
-    settings = {
+    settings =
-      trusted-users = [
+      let
-        "root"
+        substituters = [
-        "@wheel"
+          "https://${inputs.self.nixosConfigurations.lindberg-build.config.qois.nixpkgs-cache.hostname}?priority=39"
-      ];
+          "https://cache.nixos.org?priority=40"
-      substituters = [
+          "https://attic.qo.is/qois-infrastructure"
-        "https://${inputs.self.nixosConfigurations.lindberg-build.config.qois.nixpkgs-cache.hostname}?priority=39"
+        ];
-        "https://cache.nixos.org?priority=40"
+      in
-        "https://attic.qo.is/qois-infrastructure"
+      {
-      ];
+        trusted-users = [
-      trusted-public-keys = [
+          "root"
-        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+          "@wheel"
-        "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE="
+        ];
-      ];
+        trusted-public-keys = [
-    };
+          "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+          "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE="
+        ];
+        trusted-substituters = substituters; # For hosts that limit the subst list
+        inherit substituters;
+      };
     gc = {
       automatic = true;
       dates = "weekly";
@@ -87,10 +92,6 @@
   services.openssh = {
     enable = true;
     settings.PasswordAuthentication = false;
-
-    # temporary mitigation agains CVE-2024-6387 «regreSSHion» RCE
-    # See https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128
-    settings.LoginGraceTime = 0;
   };
 
   security.acme = {