43 lines
1.3 KiB
Nix
43 lines
1.3 KiB
Nix
|
# Common SSH configuration.
|
||
|
|
# Sources for this configuration:
|
||
|
|
# - https://nixos.org/manual/nixos/stable/#sec-ssh
|
||
|
|
# - https://infosec.mozilla.org/guidelines/openssh
|
||
|
|
# - Julians deploy_ssh_server_config Ansible role
|
||
|
|
|
||
|
|
{ lib, ... }:
|
||
|
|
{
|
||
|
|
services.openssh = {
|
||
|
|
enable = true;
|
||
|
|
openFirewall = true;
|
||
|
|
|
||
|
|
settings = {
|
||
|
|
# Macs seem reasonable as the default of NixOS 23.05 is a subset of the Mozilla Modern guideline as of 2023-09-09.
|
||
|
|
# Ciphers seem reasonable as the default of NixOS 23.05 matches the Mozilla Modern guideline as of 2023-09-09.
|
||
|
|
|
||
|
|
# X11 Forwarding shouldn't be needed.
|
||
|
|
X11Forwarding = false;
|
||
|
|
|
||
|
|
# Don't allow root login.
|
||
|
|
PermitRootLogin = lib.mkForce "no";
|
||
|
|
|
||
|
|
PasswordAuthentication = false;
|
||
|
|
KbdInteractiveAuthentication = false;
|
||
|
|
|
||
|
|
# Set this according to Mozilla Modern guideline as of 2023-09-09.
|
||
|
|
# The guidelines description:
|
||
|
|
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a
|
||
|
|
# clear audit track of which key was using to log in.
|
||
|
|
LogLevel = "VERBOSE";
|
||
|
|
};
|
||
|
|
|
||
|
|
# Set those according to Mozilla Modern guideline as of 2023-09-09.
|
||
|
|
# The guidelines description:
|
||
|
|
# Log sftp level file access (read/write/etc.) that would not be easily
|
||
|
|
# logged otherwise.
|
||
|
|
sftpFlags = [
|
||
|
|
"-f AUTHPRIV"
|
||
|
|
"-l INFO"
|
||
|
|
];
|
||
|
|
};
|
||
|
|
}
|