Use OpenSSH config from CCCHH nix-infra repo

2023-10-10 16:43:51 +02:00 · 2023-10-10 16:43:51 +02:00 · d18a4ee24b
commit d18a4ee24b
parent 87170d4e9e
2 changed files with 44 additions and 11 deletions
--- a/config/common/default.nix
+++ b/config/common/default.nix
@ -1,8 +1,9 @@
-{ pkgs, lib, ... }:
+{ pkgs, ... }:
 {
  imports = [
    ./prometheus-node-exporter.nix
    ./nginx.nix
+    ./openssh.nix
    ../users/colmena-deploy
    ../users/yuri
  ];
@ -36,16 +37,6 @@
    tcpdump
  ];

-  services.openssh = {
-    enable = true;
-    openFirewall = true;
-    settings = {
-      PasswordAuthentication = false;
-      KbdInteractiveAuthentication = false;
-      PermitRootLogin = lib.mkForce "no";
-    };
-  };
-
  security.acme = {
    defaults.email = "acme@grzb.de";
    acceptTerms = true;
--- a/config/common/openssh.nix
+++ b/config/common/openssh.nix
@ -0,0 +1,42 @@
+# Common SSH configuration.
+# Sources for this configuration:
+# - https://nixos.org/manual/nixos/stable/#sec-ssh
+# - https://infosec.mozilla.org/guidelines/openssh
+# - Julians deploy_ssh_server_config Ansible role
+
+{ lib, ... }:
+{
+  services.openssh = {
+    enable = true;
+    openFirewall = true;
+
+    settings = {
+      # Macs seem reasonable as the default of NixOS 23.05 is a subset of the Mozilla Modern guideline as of 2023-09-09.
+      # Ciphers seem reasonable as the default of NixOS 23.05 matches the Mozilla Modern guideline as of 2023-09-09.
+
+      # X11 Forwarding shouldn't be needed.
+      X11Forwarding = false;
+
+      # Don't allow root login.
+      PermitRootLogin = lib.mkForce "no";
+
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+
+      # Set this according to Mozilla Modern guideline as of 2023-09-09.
+      # The guidelines description:
+      # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a
+      # clear audit track of which key was using to log in.
+      LogLevel = "VERBOSE";
+    };
+
+    # Set those according to Mozilla Modern guideline as of 2023-09-09.
+    # The guidelines description:
+    # Log sftp level file access (read/write/etc.) that would not be easily
+    # logged otherwise.
+    sftpFlags = [
+      "-f AUTHPRIV"
+      "-l INFO"
+    ];
+  };
+}