61 lines
1.6 KiB
Nix
61 lines
1.6 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
{
|
|
# Hardened OpenSSH
|
|
services.openssh = {
|
|
enable = true;
|
|
ports = [ 22 ];
|
|
settings = {
|
|
# Authentication
|
|
PermitRootLogin = "no";
|
|
PasswordAuthentication = false;
|
|
KbdInteractiveAuthentication = false;
|
|
PermitEmptyPasswords = false;
|
|
|
|
# Security hardening
|
|
X11Forwarding = false;
|
|
AllowTcpForwarding = false;
|
|
AllowAgentForwarding = false;
|
|
AllowStreamLocalForwarding = false;
|
|
|
|
# Session settings
|
|
ClientAliveInterval = 300;
|
|
ClientAliveCountMax = 2;
|
|
MaxAuthTries = 3;
|
|
MaxSessions = 2;
|
|
LoginGraceTime = 30;
|
|
};
|
|
# Use only strong key exchange algos
|
|
extraConfig = ''
|
|
KexAlgorithms curve25519-sha256@libssh.org,curve25519-sha256
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
|
'';
|
|
};
|
|
|
|
# Tailscale
|
|
services.tailscale.enable = true;
|
|
|
|
# Fwupd
|
|
services.fwupd.enable = true;
|
|
|
|
# udev
|
|
services.udev.extraRules = ''
|
|
ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="3434", MODE="0660", GROUP="plugdev"
|
|
ACTION=="add", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="3434", MODE="0660", GROUP="plugdev"
|
|
ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="0b05", MODE="0660", GROUP="plugdev"
|
|
ACTION=="add", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="0b05", MODE="0660", GROUP="plugdev"
|
|
'';
|
|
|
|
# Sunshine
|
|
services.sunshine = {
|
|
enable = true;
|
|
autoStart = true;
|
|
openFirewall = true;
|
|
capSysAdmin = true;
|
|
};
|
|
|
|
services.avahi.publish.enable = true;
|
|
services.avahi.publish.userServices = true;
|
|
}
|