From 920d3342d55312937fed357f9abe165bb2aa281b Mon Sep 17 00:00:00 2001
From: "quentin@aristote.fr" <quentin@aristote.fr>
Date: Sat, 17 Jan 2026 18:34:56 +0100
Subject: nixos: ssh: harden

---
 modules/nixos/personal/networking/default.nix | 40 ++++++++++++++++-----------
 1 file changed, 24 insertions(+), 16 deletions(-)

(limited to 'modules/nixos/personal/networking')

diff --git a/modules/nixos/personal/networking/default.nix b/modules/nixos/personal/networking/default.nix
index 03356f1..14b0e86 100644
--- a/modules/nixos/personal/networking/default.nix
+++ b/modules/nixos/personal/networking/default.nix
@@ -2,7 +2,6 @@
   config,
   lib,
   pkgs,
-  options,
   ...
 }:
 let
@@ -62,21 +61,30 @@ in
     services = lib.mkIf cfg.ssh.enable {
       openssh = {
         enable = true;
-      }
-      // (
-        if options.services.openssh ? settings then
-          {
-            settings = {
-              PermitRootLogin = "no";
-              PasswordAuthentication = false;
-            };
-          }
-        else
-          {
-            permitRootLogin = "no";
-            passwordAuthentication = false;
-          }
-      );
+        settings = {
+          # Authentication
+          KbdInteractiveAuthentication = false;
+          PasswordAuthentication = false;
+          PermitRootLogin = "no";
+
+          # Forwarding
+          GatewayPorts = "no";
+          X11Forwarding = false;
+        };
+        extraConfig = lib.mkBefore ''
+          # Authentication
+          PubkeyAuthentication yes
+          HostbasedAuthentication no
+
+          # Forwarding
+          AllowAgentForwarding no
+          AllowTcpForwarding no
+          PermitTTY no
+          PermitUserEnvironment no
+          PermitUserRC no
+          PermitTunnel no
+        '';
+      };
       fail2ban = {
         enable = true;
         maxretry = 16;
-- 
cgit v1.2.3