More nginx config dehardcoding. Did some sshd hardening.

2019-03-24 22:55:17 +01:00 · 2019-03-24 22:55:17 +01:00 · e745bdea3d
commit e745bdea3d
parent 66ca5839e5
5 changed files with 15 additions and 7 deletions
--- a/services/openssh.nix
+++ b/services/openssh.nix
@ -9,13 +9,18 @@ with lib;
 mkIf (elem "openssh" config.machine.services) {
  services.openssh = {
    enable = true;
+    kexAlgorithms = [ "curve25519-sha256@libssh.org" ];
    sftpFlags = [ "-f AUTHPRIV" "-l INFO" ];
    startWhenNeeded = true;
    challengeResponseAuthentication = false;
    passwordAuthentication = false;
    permitRootLogin = "no";
    extraConfig = ''
+        UsePAM no
+        UseRoaming no
        AllowUsers derped git nix-ssh
+        UsePrivilegeSeparation sandbox
+        LogLevel VERBOSE
    '';
  };
 }