From d18a4ee24b4035efe49806372254b1254e83f352 Mon Sep 17 00:00:00 2001
From: yuri <yuri@nekover.se>
Date: Tue, 10 Oct 2023 16:43:51 +0200
Subject: [PATCH] Use OpenSSH config from CCCHH nix-infra repo

---
 config/common/default.nix | 13 ++----------
 config/common/openssh.nix | 42 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+), 11 deletions(-)
 create mode 100644 config/common/openssh.nix

diff --git a/config/common/default.nix b/config/common/default.nix
index 0aee917..c57eaba 100644
--- a/config/common/default.nix
+++ b/config/common/default.nix
@@ -1,8 +1,9 @@
-{ pkgs, lib, ... }:
+{ pkgs, ... }:
 {
   imports = [
     ./prometheus-node-exporter.nix
     ./nginx.nix
+    ./openssh.nix
     ../users/colmena-deploy
     ../users/yuri
   ];
@@ -36,16 +37,6 @@
     tcpdump
   ];
 
-  services.openssh = {
-    enable = true;
-    openFirewall = true;
-    settings = {
-      PasswordAuthentication = false;
-      KbdInteractiveAuthentication = false;
-      PermitRootLogin = lib.mkForce "no";
-    };
-  };
-
   security.acme = {
     defaults.email = "acme@grzb.de";
     acceptTerms = true;
diff --git a/config/common/openssh.nix b/config/common/openssh.nix
new file mode 100644
index 0000000..e706571
--- /dev/null
+++ b/config/common/openssh.nix
@@ -0,0 +1,42 @@
+# Common SSH configuration.
+# Sources for this configuration:
+# - https://nixos.org/manual/nixos/stable/#sec-ssh
+# - https://infosec.mozilla.org/guidelines/openssh
+# - Julians deploy_ssh_server_config Ansible role
+
+{ lib, ... }:
+{
+  services.openssh = {
+    enable = true;
+    openFirewall = true;
+
+    settings = {
+      # Macs seem reasonable as the default of NixOS 23.05 is a subset of the Mozilla Modern guideline as of 2023-09-09.
+      # Ciphers seem reasonable as the default of NixOS 23.05 matches the Mozilla Modern guideline as of 2023-09-09.
+
+      # X11 Forwarding shouldn't be needed.
+      X11Forwarding = false;
+
+      # Don't allow root login.
+      PermitRootLogin = lib.mkForce "no";
+
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+
+      # Set this according to Mozilla Modern guideline as of 2023-09-09.
+      # The guidelines description:
+      # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a
+      # clear audit track of which key was using to log in.
+      LogLevel = "VERBOSE";
+    };
+
+    # Set those according to Mozilla Modern guideline as of 2023-09-09.
+    # The guidelines description:
+    # Log sftp level file access (read/write/etc.) that would not be easily
+    # logged otherwise.
+    sftpFlags = [
+      "-f AUTHPRIV"
+      "-l INFO"
+    ];
+  };
+}