openssh: secure

author: Gregor Kleen <gkleen@yggdrasil.li> 2021-12-15 16:27:25 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2021-12-15 16:27:25 +0100
commit: f6e1b9bc982a7498612f59c32138b1260c893c95 (patch)
tree: 18d382502778e40108116cc89cb7a62659613ba3 /system-profiles/openssh/default.nix
parent: 00be2c22af5e2ae452b2d68b4d7edce3bd8b1187 (diff)
download: nixos-f6e1b9bc982a7498612f59c32138b1260c893c95.tar
nixos-f6e1b9bc982a7498612f59c32138b1260c893c95.tar.gz
nixos-f6e1b9bc982a7498612f59c32138b1260c893c95.tar.bz2
nixos-f6e1b9bc982a7498612f59c32138b1260c893c95.tar.xz
nixos-f6e1b9bc982a7498612f59c32138b1260c893c95.zip
1 files changed, 27 insertions, 6 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index 09ff58f7..cd7ec025 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -14,18 +14,39 @@
          type = "ed25519";
        }
      ];
+      ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];
+      macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];
+      kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
+      moduliFile = config.sops.secrets.ssh_moduli.path;
+    };
+    programs.ssh = {
+      ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];
+      hostKeyAlgorithms = [ "ssh-ed25519-cert-v01@openssh.com" "ssh-rsa-cert-v01@openssh.com" "ssh-ed25519" "ssh-rsa" ];
+      kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
+      macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];
+      pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" ];
+      extraConfig = ''
+        Host *
+          UseRoaming no
+      '';
    };
    sops.secrets = lib.mkIf config.services.openssh.enable {
      ssh_host_rsa_key = {
-          key = "rsa";
+        key = "rsa";
-          path = "/etc/ssh/ssh_host_rsa_key";
+        path = "/etc/ssh/ssh_host_rsa_key";
-          sopsFile = ./host-keys + "/${hostName}.yaml";
+        sopsFile = ./host-keys + "/${hostName}.yaml";
      };
      ssh_host_ed25519_key = {
-          key = "ed25519";
+        key = "ed25519";
-          path = "/etc/ssh/ssh_host_ed25519_key";
+        path = "/etc/ssh/ssh_host_ed25519_key";
-          sopsFile = ./host-keys + "/${hostName}.yaml";
+        sopsFile = ./host-keys + "/${hostName}.yaml";
+      };
+      ssh_moduli = {
+        format = "binary";
+        path = "/etc/ssh/moduli";
+        sopsFile = ./host-moduli + "/${hostName}";
      };
    };
author	Gregor Kleen <gkleen@yggdrasil.li>	2021-12-15 16:27:25 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2021-12-15 16:27:25 +0100
commit	f6e1b9bc982a7498612f59c32138b1260c893c95 (patch)
tree	18d382502778e40108116cc89cb7a62659613ba3 /system-profiles/openssh/default.nix
parent	00be2c22af5e2ae452b2d68b4d7edce3bd8b1187 (diff)
download	nixos-f6e1b9bc982a7498612f59c32138b1260c893c95.tar nixos-f6e1b9bc982a7498612f59c32138b1260c893c95.tar.gz nixos-f6e1b9bc982a7498612f59c32138b1260c893c95.tar.bz2 nixos-f6e1b9bc982a7498612f59c32138b1260c893c95.tar.xz nixos-f6e1b9bc982a7498612f59c32138b1260c893c95.zip

diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 09ff58f7..cd7ec025 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix
@@ -14,18 +14,39 @@
14	type = "ed25519";	14	type = "ed25519";
15	}	15	}
16	];	16	];
		17	ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];
		18	macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];
		19	kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
		20	moduliFile = config.sops.secrets.ssh_moduli.path;
		21	};
		22
		23	programs.ssh = {
		24	ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];
		25	hostKeyAlgorithms = [ "ssh-ed25519-cert-v01@openssh.com" "ssh-rsa-cert-v01@openssh.com" "ssh-ed25519" "ssh-rsa" ];
		26	kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
		27	macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];
		28	pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" ];
		29	extraConfig = ''
		30	Host *
		31	UseRoaming no
		32	'';
17	};	33	};
18		34
19	sops.secrets = lib.mkIf config.services.openssh.enable {	35	sops.secrets = lib.mkIf config.services.openssh.enable {
20	ssh_host_rsa_key = {	36	ssh_host_rsa_key = {
21	key = "rsa";	37	key = "rsa";
22	path = "/etc/ssh/ssh_host_rsa_key";	38	path = "/etc/ssh/ssh_host_rsa_key";
23	sopsFile = ./host-keys + "/${hostName}.yaml";	39	sopsFile = ./host-keys + "/${hostName}.yaml";
24	};	40	};
25	ssh_host_ed25519_key = {	41	ssh_host_ed25519_key = {
26	key = "ed25519";	42	key = "ed25519";
27	path = "/etc/ssh/ssh_host_ed25519_key";	43	path = "/etc/ssh/ssh_host_ed25519_key";
28	sopsFile = ./host-keys + "/${hostName}.yaml";	44	sopsFile = ./host-keys + "/${hostName}.yaml";
		45	};
		46	ssh_moduli = {
		47	format = "binary";
		48	path = "/etc/ssh/moduli";
		49	sopsFile = ./host-moduli + "/${hostName}";
29	};	50	};
30	};	51	};
31		52