Price/NixOS
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor(hosts/luna): improve hardening of openssh

Browse Source
This commit is contained in:
Price Hiller 2024-03-13 23:57:09 -05:00
parent 7f2966176c
commit 165bb032a9
Signed by: Price
GPG Key ID: C3FADDE7A8534BEB
1 changed files with 14 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
hosts/luna/modules/services/openssh.nix
View File

@ -1,49 +1,26 @@
{ config, ... }:
{
{ config, ... }: {
services.openssh = {
enable = true;
startWhenNeeded = true;
# We set the hostkeys manually so they persist through reboots
hostKeys = [
{
path = (config.environment.persistence.ephemeral.persistentStoragePath + "/etc/ssh/ssh_host_ed25519_key");
type = "ed25519";
}
];
sftpFlags = [
"-f AUTHPRIV"
"-l INFO"
];
extraConfig = ''
AllowUsers price
'';
hostKeys = [{
path = (config.environment.persistence.ephemeral.persistentStoragePath
+ "/etc/ssh/ssh_host_ed25519_key");
type = "ed25519";
}];
sftpFlags = [ "-f AUTHPRIV" "-l INFO" ];
settings = {
PasswordAuthentication = false;
AuthenticationMethods = "publickey";
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
GatewayPorts = "yes";
X11Forwarding = false;
AllowAgentForwarding = false;
AllowStreamLocalForwarding = false;
LogLevel = "VERBOSE";
KexAlgorithms = [
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group-exchange-sha256"
];
Ciphers = [
"chacha20-poly1305@openssh.com"
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
"aes256-ctr"
"aes192-ctr"
"aes128-ctr"
];
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
];
AllowUsers = [ "price" ];
};
ports = [
2200
];
ports = [ 2200 ];
banner = ''
Orion Technologies - Security Notice