feat(linux): desktop SSH access server (storopoli#71)

* feat(linux): desktop SSH access server * fix: openssh is false by default
dscv101 · Mar 27, 2024 · 8d436af · 8d436af
1 parent a808c95
commit 8d436af
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 2 deletions.
diff --git a/flake.nix b/flake.nix
@@ -134,6 +134,8 @@
                 inputs.nixos-hardware.nixosModules.common-pc-ssd
                 # Filesystem
                 ./linux/filesystem/desktop/filesystem.nix
+                # Server
+                ./linux/ssh-server.nix
                 # Nvidia stuff
                 ./linux/nvidia.nix
                 # Your home-manager configuration

diff --git a/linux/networking.nix b/linux/networking.nix
@@ -49,8 +49,6 @@
   services = {
     resolved.enable = true;
 
-    openssh.enable = false;
-
     tor.enable = true;
   };
 

diff --git a/linux/ssh-server.nix b/linux/ssh-server.nix
@@ -0,0 +1,43 @@
+{ config, lib, pkgs, ... }:
+
+{
+
+  # Enable SSH server with custom hardened configs
+  services.openssh = {
+    enable = true;
+
+    settings = {
+      # Modern ciphers/MACs
+      Ciphers = [
+        "chacha20-poly1305@openssh.com"
+        "aes256-gcm@openssh.com"
+        "aes128-gcm@openssh.com"
+        "aes256-ctr"
+        "aes192-ctr"
+        "aes128-ctr"
+      ];
+      Macs = [
+        "hmac-sha2-512-etm@openssh.com"
+        "hmac-sha2-256-etm@openssh.com"
+        "umac-128-etm@openssh.com"
+      ];
+
+      # require public key authentication for better security
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+
+      # Only for the user `user`
+      AllowUsers = [ "user" ];
+
+      LogLevel = "INFO";
+    };
+  };
+
+  # Authorized Keys
+  users.users."user".openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKU4O0J7gdU1+0/IoVZUtajfmWGGNmA3TFXTsbnQfpwt openpgp:0xC116F831"
+  ];
+
+  # Open port 22 in Firewall
+  networking.firewall.allowedTCPPorts = [ 22 ];
+}