fi/nix-infra
1
1
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Use OpenSSH config from CCCHH nix-infra repo

Browse source
This commit is contained in:
yuri 2023-10-10 16:43:51 +02:00
parent 87170d4e9e
commit d18a4ee24b
2 changed files with 44 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
config/common/default.nix
View file

@ -1,8 +1,9 @@
{ pkgs, lib, ... }:
{ pkgs, ... }:
{
imports = [
./prometheus-node-exporter.nix
./nginx.nix
./openssh.nix
../users/colmena-deploy
../users/yuri
];
@ -36,16 +37,6 @@
tcpdump
];
services.openssh = {
enable = true;
openFirewall = true;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = lib.mkForce "no";
};
};
security.acme = {
defaults.email = "acme@grzb.de";
acceptTerms = true;

42
config/common/openssh.nix Normal file
View file

@ -0,0 +1,42 @@
# Common SSH configuration.
# Sources for this configuration:
# - https://nixos.org/manual/nixos/stable/#sec-ssh
# - https://infosec.mozilla.org/guidelines/openssh
# - Julians deploy_ssh_server_config Ansible role
{ lib, ... }:
{
services.openssh = {
enable = true;
openFirewall = true;
settings = {
# Macs seem reasonable as the default of NixOS 23.05 is a subset of the Mozilla Modern guideline as of 2023-09-09.
# Ciphers seem reasonable as the default of NixOS 23.05 matches the Mozilla Modern guideline as of 2023-09-09.
# X11 Forwarding shouldn't be needed.
X11Forwarding = false;
# Don't allow root login.
PermitRootLogin = lib.mkForce "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
# Set this according to Mozilla Modern guideline as of 2023-09-09.
# The guidelines description:
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a
# clear audit track of which key was using to log in.
LogLevel = "VERBOSE";
};
# Set those according to Mozilla Modern guideline as of 2023-09-09.
# The guidelines description:
# Log sftp level file access (read/write/etc.) that would not be easily
# logged otherwise.
sftpFlags = [
"-f AUTHPRIV"
"-l INFO"
];
};
}