67 lines
1.8 KiB
Nix
67 lines
1.8 KiB
Nix
{
|
|
lib,
|
|
config,
|
|
...
|
|
}: {
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
KbdInteractiveAuthentication = false;
|
|
Ciphers = [
|
|
"aes256-gcm@openssh.com"
|
|
];
|
|
# Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
|
|
KexAlgorithms = [
|
|
"curve25519-sha256"
|
|
"curve25519-sha256@libssh.org"
|
|
"diffie-hellman-group16-sha512"
|
|
"diffie-hellman-group18-sha512"
|
|
"sntrup761x25519-sha512@openssh.com"
|
|
];
|
|
PasswordAuthentication = false;
|
|
StreamLocalBindUnlink = true; # unbind gnupg sockets if they exists
|
|
UseDns = false;
|
|
X11Forwarding = false;
|
|
};
|
|
hostKeys =
|
|
if config.weinturm.impermanence.enable
|
|
then [
|
|
{
|
|
type = "ed25519";
|
|
path = "/persist/etc/ssh/ssh_host_ed25519_key";
|
|
}
|
|
]
|
|
else [
|
|
{
|
|
type = "ed25519";
|
|
path = "/etc/ssh/ssh_host_ed25519_key";
|
|
}
|
|
];
|
|
authorizedKeysFiles = lib.mkIf (!config.services.gitlab.enable) (lib.mkForce ["/etc/ssh/authorized_keys.d/%u"]);
|
|
};
|
|
|
|
networking.nftables.tables."nixos-fw".content = lib.mkOrder 20 ''
|
|
set ssh-ratelimit-v4 {
|
|
type ipv4_addr
|
|
timeout 60s
|
|
flags dynamic
|
|
}
|
|
|
|
set ssh-ratelimit-v6 {
|
|
type ipv6_addr
|
|
timeout 60s
|
|
flags dynamic
|
|
}
|
|
'';
|
|
|
|
# Implement connection rate limit
|
|
services.openssh.openFirewall = false;
|
|
networking.firewall.extraInputRules = lib.mkOrder 5 (
|
|
let
|
|
ports = builtins.concatStringsSep ", " (map builtins.toString config.services.openssh.ports);
|
|
in ''
|
|
tcp dport { ${ports} } update @ssh-ratelimit-v4 { ip saddr limit rate 1/second burst 10 packets } accept
|
|
tcp dport { ${ports} } update @ssh-ratelimit-v6 { ip6 saddr limit rate 1/second burst 10 packets } accept
|
|
''
|
|
);
|
|
}
|