some updates

2024-09-20 15:26:06 -04:00 · 2024-09-20 15:26:06 -04:00 · 6e8014e0b5
commit 6e8014e0b5
parent db319ed5af
13 changed files with 153 additions and 14 deletions
--- a/common/nixos/laptop.nix
+++ b/common/nixos/laptop.nix
@ -3,7 +3,10 @@
  lib,
  ...
 }: {
-  imports = [./bluetooth.nix];
+  imports = [
+    ./bluetooth.nix
+    ../networking/wireless.nix
+  ];
  options = {
    laptop.enable = lib.mkEnableOption "Enables Laptop options";
  };
@ -16,5 +19,6 @@
    services.tlp.enable = true;

    bluetooth.enable = true;
+    wireless.enable = true;
  };
 }
--- a/common/nixos/ssh/ssh.nix
+++ b/common/nixos/ssh/ssh.nix
@ -58,7 +58,17 @@
        PermitRootLogin = "no";

        # nix enables pam by default
-        #UsePam = true;
+        # UsePAM = false;
+
+        # challenge-response authentication backend it not configured by default
+        # therefore, it is set to "no" by default to avoid the use of an unconfigured backend
+        ChallengeResponseAuthentication = false;
+
+        # set maximum authentication retries to prevent brute force attacks
+        MaxAuthTries = 3;
+
+        # disallow connecting using empty passwords
+        PermitEmptyPasswords = false;

        ########## Cryptography ##########

@ -66,9 +76,28 @@
        # AES CTR modes have been removed to mitigate the Terrapin attack
        #   https://terrapin-attack.com/

-        Ciphers = ["aes256-gcm@openssh.com" "aes128-gcm@openssh.com"];
-        Macs = ["hmac-sha2-256-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com"];
-        KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group16-sha512" "diffie-hellman-group18-sha512"];
+        Ciphers = [
+          "aes256-gcm@openssh.com"
+          "aes128-gcm@openssh.com"
+        ];
+        Macs = [
+          "hmac-sha2-256-etm@openssh.com"
+          "hmac-sha2-512-etm@openssh.com"
+          "umac-128-etm@openssh.com"
+        ];
+        KexAlgorithms = [
+          "sntrup761x25519-sha512@openssh.com"
+          "curve25519-sha256"
+          "curve25519-sha256@libssh.org"
+          "diffie-hellman-group16-sha512"
+          "diffie-hellman-group18-sha512"
+        ];
+
+        # hostKeyAlgorithms = [
+        #   "rsa-sha2-512"
+        #   "rsa-sha2-256"
+        #   "ssh-ed25519"
+        # ];

        ########## Connection Preferences ##########

@ -97,7 +126,26 @@

        # allow a maximum of two multiplexed sessions over a single TCP connection
        MaxSessions = 2;
+
+        # let ClientAliveInterval handle keepalive
+        TCPKeepAlive = false;
+
+        # disable reverse DNS lookups
+        # UseDNS = false;
      };
+      extraConfig = ''
+        ########## Features ##########
+
+        # accept locale-related environment variables
+        AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+        AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+        AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+        AcceptEnv XMODIFIERS
+
+        ########## Connection Preferences ##########
+        # disable reverse DNS lookups
+        UseDNS no
+      '';
    };
  };
 }
--- a/common/nixos/ssh/ssh_client.nix
+++ b/common/nixos/ssh/ssh_client.nix
@ -34,6 +34,7 @@
        "umac-128-etm@openssh.com"
      ];
      kexAlgorithms = [
+        "sntrup761x25519-sha512@openssh.com"
        "curve25519-sha256"
        "curve25519-sha256@libssh.org"
        "diffie-hellman-group16-sha512"