diff options
| author | quentin@aristote.fr <quentin@aristote.fr> | 2026-01-17 18:34:56 +0100 |
|---|---|---|
| committer | quentin@aristote.fr <quentin@aristote.fr> | 2026-01-17 21:11:11 +0100 |
| commit | 920d3342d55312937fed357f9abe165bb2aa281b (patch) | |
| tree | d775b457dcb460ff8cc1ff190e8d968681ca330d | |
| parent | ff4ae77a1a2184586e4b6181edb06bd88ca1c55d (diff) | |
nixos: ssh: harden
| -rw-r--r-- | modules/nixos/personal/networking/default.nix | 40 | ||||
| -rw-r--r-- | modules/nixos/personal/user.nix | 8 |
2 files changed, 32 insertions, 16 deletions
diff --git a/modules/nixos/personal/networking/default.nix b/modules/nixos/personal/networking/default.nix index 03356f1..14b0e86 100644 --- a/modules/nixos/personal/networking/default.nix +++ b/modules/nixos/personal/networking/default.nix @@ -2,7 +2,6 @@ config, lib, pkgs, - options, ... }: let @@ -62,21 +61,30 @@ in services = lib.mkIf cfg.ssh.enable { openssh = { enable = true; - } - // ( - if options.services.openssh ? settings then - { - settings = { - PermitRootLogin = "no"; - PasswordAuthentication = false; - }; - } - else - { - permitRootLogin = "no"; - passwordAuthentication = false; - } - ); + settings = { + # Authentication + KbdInteractiveAuthentication = false; + PasswordAuthentication = false; + PermitRootLogin = "no"; + + # Forwarding + GatewayPorts = "no"; + X11Forwarding = false; + }; + extraConfig = lib.mkBefore '' + # Authentication + PubkeyAuthentication yes + HostbasedAuthentication no + + # Forwarding + AllowAgentForwarding no + AllowTcpForwarding no + PermitTTY no + PermitUserEnvironment no + PermitUserRC no + PermitTunnel no + ''; + }; fail2ban = { enable = true; maxretry = 16; diff --git a/modules/nixos/personal/user.nix b/modules/nixos/personal/user.nix index ea0ce8c..630144a 100644 --- a/modules/nixos/personal/user.nix +++ b/modules/nixos/personal/user.nix @@ -32,6 +32,14 @@ in ]; }; + services.openssh.extraConfig = '' + Match user ${cfg.name} + AllowAgentForwarding yes + AllowTcpForwarding yes + PermitTTY yes + PermitUserRC yes + ''; + assertions = let missingArgAssertion = name: { |