nixos/pam: Secure default for `sshAgentAuth.authorizedKeysFiles`

- `himalaya` was updated to v1.0.0-beta, which introduces breaking changes. Check out the [release note](https://github.com/soywod/himalaya/releases/tag/v1.0.0-beta) for details.

- `security.pam.enableSSHAgentAuth` was replaced by the `sshAgentAuth` attrset, and **only**

  `authorized_keys` files listed in [`sshAgentAuth.authorizedKeysFiles`] are trusted,

  defaulting to `/etc/ssh/authorized_keys.d/%u`.

  ::: {.warning}

  Users of {manpage}`pam_ssh_agent_auth(8)` must take care that the pubkeys they use (for instance with `sudo`)

  are listed in [`sshAgentAuth.authorizedKeysFiles`]..

  :::

  ::: {.note}

  Previously, all `services.openssh.authorizedKeysFiles` were trusted, including `~/.ssh/authorized_keys`,

  which results in an **insecure** configuration; see [#31611](https://github.com/NixOS/nixpkgs/issues/31611).

  :::

[`sshAgentAuth.authorizedKeysFiles`]: #opt-security.pam.sshAgentAuth.authorizedKeysFiles

- The `power.ups` module now generates `upsd.conf`, `upsd.users` and `upsmon.conf` automatically from a set of new configuration options. This breaks compatibility with existing `power.ups` setups where these files were created manually. Back up these files before upgrading NixOS.

- `k9s` was updated to v0.31. There have been various breaking changes in the config file format,

- The source of the `mockgen` package has changed to the [go.uber.org/mock](https://github.com/uber-go/mock) fork because [the original repository is no longer maintained](https://github.com/golang/mock#gomock).

- `security.pam.enableSSHAgentAuth` was renamed to `security.pam.sshAgentAuth.enable` and an `authorizedKeysFiles`

  option was added, to control which `authorized_keys` files are trusted.  It defaults to the previous behaviour,

  **which is insecure**: see [#31611](https://github.com/NixOS/nixpkgs/issues/31611).

- [](#opt-boot.kernel.sysctl._net.core.wmem_max_) changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as [](#opt-boot.kernel.sysctl._net.core.rmem_max_) since 22.11.

- `services.zfs.zed.enableMail` now uses the global `sendmail` wrapper defined by an email module

          See [issue #31611](https://github.com/NixOS/nixpkgs/issues/31611)

          :::

        '';

        example = [ "/etc/ssh/authorized_keys.d/%u" ];

        default = config.services.openssh.authorizedKeysFiles;

        defaultText = literalExpression "config.services.openssh.authorizedKeysFiles";

        default = [ "/etc/ssh/authorized_keys.d/%u" ];

      };

    };