config: Enable authorization through ssh agent

This enables sudo-via-yubikey and therefore makes `-t` obsolete, in
turn fixing a whole sleuth of issues with deploy-rs.

*And* seems more secure and convenient at the same time.

configuration/default.nix

@@ -100,6 +100,15 @@
     gatewayPorts = "yes";
   };
 
+  security = {
+    sudo.execWheelOnly = true;
+
+    pam = {
+      enableSSHAgentAuth = true;
+      services.sudo.sshAgentAuth = true;
+    };
+  };
+
   services.nginx = {
     enable = true;
     recommendedTlsSettings = true;