security: Some settings should always be enabled

Even if Phoebe security is off, force some settings to be on.  These
are settings that are appropriate even for developer testing VMs.

modules/security/default.nix

@@ -23,11 +23,28 @@ in
 
   #### Implementation
   config = mkMerge [
+
+    ############################################################################
+    # Things to disable when not using security settings:
     (mkIf (!cfg.enable) {
       # Only really useful for development VMs:
       networking.firewall.enable = false;
     })
 
+    ############################################################################
+    # Settings that are always enabled:
+    {
+      # Users must be created in Nix:
+      users.mutableUsers = false;
+
+      # Don't require or use any passwords:
+      security.pam.enableSSHAgentAuth = true;
+      services.openssh.passwordAuthentication = false;
+      services.openssh.permitRootLogin = "without-password";
+    }
+
+    ############################################################################
+    # Settings to enable when security is enabled:
     (mkIf cfg.enable {
       # Firewall:
       networking.firewall = {
@@ -36,6 +53,14 @@ in
         pingLimit = "--limit 1/minute --limit-burst 5";
         allowedTCPPorts = config.services.openssh.ports;
       };
+
+      # SSH and authentication:
+      services.openssh.forwardX11 = false;
+      services.openssh.openFirewall = false; # Done above.
+
+      # Run-time kernel modifications:
+      # FIXME: enable after some testing.
+      # security.lockKernelModules = true;
     })
   ];
 }