25 lines
669 B
Nix
25 lines
669 B
Nix
{ lib
|
|
, ...
|
|
}:
|
|
|
|
{
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
KbdInteractiveAuthentication = false;
|
|
# Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
|
|
KexAlgorithms = [
|
|
"curve25519-sha256"
|
|
"curve25519-sha256@libssh.org"
|
|
"diffie-hellman-group16-sha512"
|
|
"diffie-hellman-group18-sha512"
|
|
"sntrup761x25519-sha512@openssh.com"
|
|
];
|
|
PasswordAuthentication = false;
|
|
StreamLocalBindUnlink = true; # unbind gnupg sockets if they exists
|
|
UseDns = false;
|
|
X11Forwarding = false;
|
|
};
|
|
authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];
|
|
};
|
|
}
|