nixfiles/config/common/openssh.nix

60 lines
1.3 KiB
Nix
Raw Normal View History

2024-01-09 15:55:29 +01:00
{ lib, ... }:
2023-11-28 08:19:49 +01:00
with lib;
let
ciphers = [
"chacha20-poly1305@openssh.com"
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
];
sigAlgorithms = [
"ssh-ed25519-cert-v01@openssh.com"
"ssh-ed25519"
2024-08-05 18:33:27 +02:00
"sk-ssh-ed25519-cert-v01@openssh.com"
"sk-ssh-ed25519@openssh.com"
2023-11-28 08:19:49 +01:00
];
kexAlgorithms = [
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
];
macs = [
"umac-128-etm@openssh.com"
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
];
in {
programs.ssh = {
inherit ciphers kexAlgorithms macs;
hostKeyAlgorithms = sigAlgorithms;
pubkeyAcceptedKeyTypes = sigAlgorithms;
};
services.openssh = {
hostKeys = mkDefault [
{ type = "ed25519"; path = "/etc/keys/ssh_host_ed25519_key"; }
];
settings = {
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
AuthenticationMethods = "publickey";
Ciphers = ciphers;
Macs = macs;
KexAlgorithms = kexAlgorithms;
HostKeyAlgorithms = concatStringsSep "," sigAlgorithms;
PubkeyAcceptedAlgorithms = concatStringsSep "," sigAlgorithms;
# Remove stale Unix sockets when forwarding
StreamLocalBindUnlink = true;
};
};
}