diff --git a/defaults/base-minimal/default.nix b/defaults/base-minimal/default.nix
index ce133f9..078d647 100644
--- a/defaults/base-minimal/default.nix
+++ b/defaults/base-minimal/default.nix
@@ -52,26 +52,21 @@
 
   # Package management
   nix = {
-    settings =
-      let
-        substituters = [
-          "https://${inputs.self.nixosConfigurations.lindberg-build.config.qois.nixpkgs-cache.hostname}?priority=39"
-          "https://cache.nixos.org?priority=40"
-          "https://attic.qo.is/qois-infrastructure"
-        ];
-      in
-      {
-        trusted-users = [
-          "root"
-          "@wheel"
-        ];
-        trusted-public-keys = [
-          "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-          "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE="
-        ];
-        trusted-substituters = substituters; # For hosts that limit the subst list
-        inherit substituters;
-      };
+    settings = {
+      trusted-users = [
+        "root"
+        "@wheel"
+      ];
+      substituters = [
+        "https://${inputs.self.nixosConfigurations.lindberg-build.config.qois.nixpkgs-cache.hostname}?priority=39"
+        "https://cache.nixos.org?priority=40"
+        "https://attic.qo.is/qois-infrastructure"
+      ];
+      trusted-public-keys = [
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE="
+      ];
+    };
     gc = {
       automatic = true;
       dates = "weekly";
@@ -92,6 +87,10 @@
   services.openssh = {
     enable = true;
     settings.PasswordAuthentication = false;
+
+    # temporary mitigation agains CVE-2024-6387 «regreSSHion» RCE
+    # See https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128
+    settings.LoginGraceTime = 0;
   };
 
   security.acme = {