2019-05-09 18:28:40 +02:00
|
|
|
{ config, lib, ... }:
|
2019-02-26 13:44:40 +01:00
|
|
|
|
2019-02-26 14:10:58 +01:00
|
|
|
# For reference:
|
|
|
|
# https://infosec.mozilla.org/guidelines/openssh.html
|
|
|
|
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
2019-03-20 02:57:59 +01:00
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
|
|
mkIf (elem "openssh" config.machine.services) {
|
2019-02-26 13:44:40 +01:00
|
|
|
services.openssh = {
|
|
|
|
enable = true;
|
2019-03-24 22:55:17 +01:00
|
|
|
kexAlgorithms = [ "curve25519-sha256@libssh.org" ];
|
2019-02-26 14:10:58 +01:00
|
|
|
sftpFlags = [ "-f AUTHPRIV" "-l INFO" ];
|
2019-02-26 13:44:40 +01:00
|
|
|
startWhenNeeded = true;
|
|
|
|
challengeResponseAuthentication = false;
|
|
|
|
passwordAuthentication = false;
|
|
|
|
permitRootLogin = "no";
|
2019-06-26 00:33:04 +02:00
|
|
|
extraConfig = let users = concatMapStrings (user: "${user.name} ") config.machine.administrators
|
|
|
|
+ (if config.services.gitea.enable then (config.services.gitea.user + " ") else "")
|
|
|
|
+ (if config.services.nix-serve.enable then "nix-ssh" else "");
|
|
|
|
in ''
|
2019-03-24 22:55:17 +01:00
|
|
|
UsePAM no
|
2019-06-26 00:33:04 +02:00
|
|
|
AllowUsers ${users}
|
2019-03-24 22:55:17 +01:00
|
|
|
UsePrivilegeSeparation sandbox
|
|
|
|
LogLevel VERBOSE
|
2019-02-26 13:44:40 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
}
|