From c16a6ae16da4704ed353ebcf3dcb37d50489b5f7 Mon Sep 17 00:00:00 2001
From: Lander Van den Bulcke <landervandenbulcke@gmail.com>
Date: Thu, 29 Aug 2024 09:36:15 +0200
Subject: [PATCH] feat: configure openssh

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
---
 hosts/common/global/default.nix |  1 +
 hosts/common/global/openssh.nix | 29 +++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 hosts/common/global/openssh.nix

diff --git a/hosts/common/global/default.nix b/hosts/common/global/default.nix
index 4b9c4dd..a8c4414 100644
--- a/hosts/common/global/default.nix
+++ b/hosts/common/global/default.nix
@@ -13,6 +13,7 @@
 
     ./locale.nix
     ./nh.nix
+    ./openssh.nix
   ];
 
   home-manager.useGlobalPkgs = true;
diff --git a/hosts/common/global/openssh.nix b/hosts/common/global/openssh.nix
new file mode 100644
index 0000000..78f7f5f
--- /dev/null
+++ b/hosts/common/global/openssh.nix
@@ -0,0 +1,29 @@
+# adapted from github.com:Misterio77/nix-config
+{ outputs, lib, config, ...}:
+
+let
+  hosts = lib.attrNames outputs.nixosConfigurations;
+in {
+  services.openssh = {
+    enable = true;
+
+    # Harden
+    settings = {
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+
+      # Automatically remove stale sockets
+      StreamLocalBindUnlink = "yes";
+      # Allow forwarding ports to everywhere
+      GatewayPorts = "clientspecified";
+    };
+
+    hostKeys = [
+      {
+        path = "/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+        rounds = 100;
+      }
+    ];
+  };
+}