From d2cbfadf752f4f54c07a1901ea1cf1e32cf20bc2 Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Fri, 18 Jul 2025 23:52:02 +0200 Subject: [PATCH] System: hardened ssh; Home: nvim added clangd lsp --- home/programs/neovim.nix | 2 +- system/services/ssh.nix | 51 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 50 insertions(+), 3 deletions(-) diff --git a/home/programs/neovim.nix b/home/programs/neovim.nix index c49b1ab..317fa0c 100644 --- a/home/programs/neovim.nix +++ b/home/programs/neovim.nix @@ -58,7 +58,7 @@ }; clang = { enable = true; - lsp.enable = false; + lsp.enable = true; }; bash.enable = true; diff --git a/system/services/ssh.nix b/system/services/ssh.nix index dc386eb..fec8700 100644 --- a/system/services/ssh.nix +++ b/system/services/ssh.nix @@ -1,7 +1,54 @@ -{config, ...}: { +{ + config, + lib, + ... +}: { services.openssh = { enable = true; openFirewall = !config.niksos.hardware.portable.enable; - settings.UseDns = true; + allowSFTP = false; + + # https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67 + settings = { + UseDns = lib.mkForce true; # Tailscale + LogLevel = "VERBOSE"; + PermitRootLogin = "no"; + PasswordAuthentication = false; + KbdInteractiveAuthentication = true; + + KexAlgorithms = [ + "curve25519-sha256@libssh.org" + "ecdh-sha2-nistp521" + "ecdh-sha2-nistp384" + "ecdh-sha2-nistp256" + "diffie-hellman-group-exchange-sha256" + ]; + Ciphers = [ + "chacha20-poly1305@openssh.com" + "aes256-gcm@openssh.com" + "aes128-gcm@openssh.com" + "aes256-ctr" + "aes192-ctr" + "aes128-ctr" + ]; + Macs = [ + "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-256-etm@openssh.com" + "umac-128-etm@openssh.com" + "hmac-sha2-512" + "hmac-sha2-256" + "umac-128@openssh.com" + ]; + }; + + extraConfig = '' + ClientAliveCountMax 0 + ClientAliveInterval 300 + + AllowAgentForwarding no + MaxAuthTries 3 + MaxSessions 2 + TCPKeepAlive no + ''; }; }