nixos/services/openssh.nix

29 lines
896 B
Nix
Raw Normal View History

{ config, lib, ... }:
2019-02-26 13:44:40 +01:00
# For reference:
# https://infosec.mozilla.org/guidelines/openssh.html
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
with lib;
mkIf (elem "openssh" config.machine.services) {
2019-02-26 13:44:40 +01:00
services.openssh = {
enable = true;
kexAlgorithms = [ "curve25519-sha256@libssh.org" ];
sftpFlags = [ "-f AUTHPRIV" "-l INFO" ];
2019-02-26 13:44:40 +01:00
startWhenNeeded = true;
challengeResponseAuthentication = false;
passwordAuthentication = false;
permitRootLogin = "no";
extraConfig = let users = concatMapStrings (user: "${user.name} ") config.machine.administrators
+ (if config.services.gitea.enable then (config.services.gitea.user + " ") else "")
+ (if config.services.nix-serve.enable then "nix-ssh" else "");
in ''
UsePAM no
AllowUsers ${users}
UsePrivilegeSeparation sandbox
LogLevel VERBOSE
2019-02-26 13:44:40 +01:00
'';
};
}