You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
32 lines
1.2 KiB
Nix
32 lines
1.2 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
inherit (lib) mkIf mkMerge mkThenElse;
|
|
cfg = config.r6d.config-generator;
|
|
computers = config.r6d.computers;
|
|
profiles = config.r6d.profiles;
|
|
in
|
|
|
|
mkIf true {
|
|
|
|
# Services
|
|
## OpenSSH daemon
|
|
services.openssh = {
|
|
enable = true;
|
|
# https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29
|
|
# http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
|
|
extraConfig = ''
|
|
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
|
|
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
|
|
LogLevel VERBOSE
|
|
|
|
# Use kernel sandbox mechanisms where possible in unprivilegied processes
|
|
# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
|
|
UsePrivilegeSeparation sandbox
|
|
'';
|
|
};
|
|
}
|