# Common SSH configuration.
# Sources for this configuration:
# - https://nixos.org/manual/nixos/stable/#sec-ssh
# - https://infosec.mozilla.org/guidelines/openssh
# - Julians deploy_ssh_server_config Ansible role

{ lib, ... }:
{
  services.openssh = {
    enable = true;
    openFirewall = true;

    settings = {
      # Macs seem reasonable as the default of NixOS 23.05 is a subset of the Mozilla Modern guideline as of 2023-09-09.
      # Ciphers seem reasonable as the default of NixOS 23.05 matches the Mozilla Modern guideline as of 2023-09-09.

      # X11 Forwarding shouldn't be needed.
      X11Forwarding = false;

      # Don't allow root login.
      PermitRootLogin = lib.mkForce "no";

      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;

      # Set this according to Mozilla Modern guideline as of 2023-09-09.
      # The guidelines description:
      # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a
      # clear audit track of which key was using to log in.
      LogLevel = "VERBOSE";
    };

    # Set those according to Mozilla Modern guideline as of 2023-09-09.
    # The guidelines description:
    # Log sftp level file access (read/write/etc.) that would not be easily
    # logged otherwise.
    sftpFlags = [
      "-f AUTHPRIV"
      "-l INFO"
    ];
  };
}