common/openssh: more config

2025-03-17 09:48:19 +01:00 · 2025-03-17 09:48:19 +01:00 · e1e9e7a398
commit e1e9e7a398
parent 8e5e6d7a44
2 changed files with 21 additions and 14 deletions
--- a/hosts/common/services/openssh.nix
+++ b/hosts/common/services/openssh.nix
@ -1,12 +1,32 @@
-{ ... }:
+{ lib, ... }:
 {
  services.openssh = {
+    enable = lib.mkDefault true;
    startWhenNeeded = true;
    settings = {
      StreamLocalBindUnlink = true;
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
      PermitRootLogin = "no";
+      PermitEmptyPasswords = false;
+      ChallengeResponseAuthentication = false;
+      GSSAPIAuthentication = false;
+      HostbasedAuthentication = false;
+      IgnoreRhosts = true;
+      KerberosAuthentication = false;
+      RhostsRSAAuthentication = false;
+      Protocol = "2";
+      Macs = [
+        "hmac-sha2-512-etm@openssh.com"
+        "hmac-sha2-256-etm@openssh.com"
+        "umac-128-etm@openssh.com"
+        "hmac-sha2-512"
+      ];
    };
  };
+
+  # systemd.services."sshd@".serviceConfig = {
+  #   Nice = -15;
+  #   IOSchedulingClass = "realtime";
+  # };
 }
--- a/hosts/tsuki/configuration.nix
+++ b/hosts/tsuki/configuration.nix
@ -57,19 +57,6 @@
    firewall.enable=true;
  };

-  services.openssh.enable = true;
-  services.openssh.settings.Macs = [
-    "hmac-sha2-512-etm@openssh.com"
-    "hmac-sha2-256-etm@openssh.com"
-    "umac-128-etm@openssh.com"
-    "hmac-sha2-512"
-  ];
-
-  systemd.services."sshd@".serviceConfig = {
-    Nice = -15;
-    IOSchedulingClass = "realtime";
-  };
-
  users = {
    users = {
      media = {