{ config, lib, fn, ... }: # For reference: # https://infosec.mozilla.org/guidelines/openssh.html # https://stribika.github.io/2015/01/04/secure-secure-shell.html with lib; mkIf (elem "openssh" config.machine.services) { services.openssh = { enable = true; settings.KexAlgorithms = [ "curve25519-sha256@libssh.org" ]; sftpFlags = [ "-f AUTHPRIV" "-l INFO" ]; startWhenNeeded = false; settings = { KbdInteractiveAuthentication = false; PasswordAuthentication = false; PermitRootLogin = "no"; }; extraConfig = let users = concatMapStrings (user: "${user.name} ") config.machine.administrators + (optionalString config.services.forgejo.enable (config.services.forgejo.user + " ")); in '' UsePAM no AllowUsers ${users} LogLevel VERBOSE ''; }; # Add public keys to /etc/ssh/authorized_keys.d # This replaces users.users.*.openssh.authorizedKeys.* sops.secrets = fn.sopsHelper (user: "users/${user.name}/publicKey") config.machine.administrators (user: { path = "/etc/ssh/authorized_keys.d/${user.name}"; mode = "444"; }); }