formatting: new formatting'

2024-06-01 15:32:26 -04:00 · 2024-06-01 15:32:26 -04:00 · ef1b9f6c91
commit ef1b9f6c91
parent 7efcab98a9
15 changed files with 358 additions and 152 deletions
--- a/common/nixos/common.nix
+++ b/common/nixos/common.nix
@ -4,6 +4,7 @@
  pkgs,
  inputs,
  outputs,
+  user,
  ...
 }: {
  imports = [
@ -20,6 +21,8 @@
  nix.settings.auto-optimise-store = true;
  nix.optimise.automatic = true;

+  nix.settings.trusted-users = ["${user}"];
+
  # Disable so comma can be installed
  programs.command-not-found.enable = false;
  programs.nix-index-database.comma.enable = true;
--- a/common/nixos/ssh.nix
+++ b/common/nixos/ssh.nix
@ -1,93 +0,0 @@
-{user, ...}: {
-  # https://www.ssh-audit.com/hardening_guides.html
-  # https://github.com/jtesta/ssh-audit
-  services.openssh = {
-    enable = true;
-    settings = {
-      ########## Features ##########
-
-      # disallow ssh-agent forwarding to prevent lateral movement
-      AllowAgentForwarding = false;
-
-      # prevent TCP ports from being forwarded over SSH tunnels
-      # **please be aware that disabling TCP forwarding does not prevent port forwarding**
-      # any user with an interactive login shell can spin up his/her own instance of sshd
-      AllowTcpForwarding = false;
-
-      # prevent StreamLocal (Unix-domain socket) forwarding
-      AllowStreamLocalForwarding = false;
-
-      # disables all forwarding features
-      # overrides all other forwarding switches
-      DisableForwarding = true;
-
-      # disallow remote hosts from connecting to forwarded ports
-      # i.e. forwarded ports are forced to bind to 127.0.0.1 instad of 0.0.0.0
-      GatewayPorts = "no";
-
-      # prevent tun device forwarding
-      PermitTunnel = false;
-
-      # suppress MOTD
-      PrintMotd = false;
-
-      # disable X11 forwarding since it is not necessary
-      X11Forwarding = false;
-
-      ########## Authentication ##########
-
-      AllowUsers = ["${user}"];
-
-      # Use keys only. Remove if you want to SSH using password (not recommended)
-      PasswordAuthentication = false;
-      HostbasedAuthentication = false;
-
-      # enable pubkey authentication
-      PubkeyAuthentication = true;
-
-      # Forbid root login through SSH.
-      PermitRootLogin = "no";
-
-      # nix enables pam by default
-      #UsePam = true;
-
-      ########## Cryptography ##########
-
-      # explicitly define cryptography algorithms to avoid the use of weak algorithms
-      # AES CTR modes have been removed to mitigate the Terrapin attack
-      #   https://terrapin-attack.com/
-
-      Ciphers = ["aes256-gcm@openssh.com" "aes128-gcm@openssh.com"];
-      Macs = ["hmac-sha2-256-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com"];
-      KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group16-sha512" "diffie-hellman-group18-sha512"];
-
-      ########## Connection Preferences ##########
-
-      # enforce SSH server to only use SSH protocol version 2
-      # SSHv1 contains security issues and should be avoided at all costs
-      # SSHv1 is disabled by default after OpenSSH 7.0, but this option is
-      #   specified anyways to ensure this configuration file's compatibility
-      #   with older versions of OpenSSH server
-      Protocol = 2;
-
-      # number of client alive messages sent without client responding
-      ClientAliveCountMax = 2;
-
-      # send a keepalive message to the client when the session has been idle for 300 seconds
-      # this prevents/detects connection timeouts
-      ClientAliveInterval = 300;
-
-      # compression before encryption might cause security issues
-      Compression = false;
-
-      # prevent SSH trust relationships from allowing lateral movements
-      IgnoreRhosts = true;
-
-      # log verbosely for addtional information
-      LogLevel = "VERBOSE";
-
-      # allow a maximum of two multiplexed sessions over a single TCP connection
-      MaxSessions = 2;
-    };
-  };
-}
--- a/common/nixos/ssh/default.nix
+++ b/common/nixos/ssh/default.nix
@ -0,0 +1,7 @@
+{lib, ...}: {
+  imports = [./ssh.nix ./ssh_client.nix ./ssh_guard.nix];
+
+  ssh_client.enable = lib.mkDefault true;
+  ssh.enable = lib.mkDefault false;
+  ssh_guard.enable = lib.mkDefault false;
+}
--- a/common/nixos/ssh/ssh.nix
+++ b/common/nixos/ssh/ssh.nix
@ -0,0 +1,103 @@
+{
+  config,
+  lib,
+  user,
+  ...
+}: {
+  options = {
+    ssh.enable = lib.mkEnableOption "enable ssh settings";
+  };
+  config = lib.mkIf config.ssh.enable {
+    # https://www.ssh-audit.com/hardening_guides.html
+    # https://github.com/jtesta/ssh-audit
+    services.openssh = {
+      enable = true;
+      settings = {
+        ########## Features ##########
+
+        # disallow ssh-agent forwarding to prevent lateral movement
+        AllowAgentForwarding = false;
+
+        # prevent TCP ports from being forwarded over SSH tunnels
+        # **please be aware that disabling TCP forwarding does not prevent port forwarding**
+        # any user with an interactive login shell can spin up his/her own instance of sshd
+        AllowTcpForwarding = false;
+
+        # prevent StreamLocal (Unix-domain socket) forwarding
+        AllowStreamLocalForwarding = false;
+
+        # disables all forwarding features
+        # overrides all other forwarding switches
+        DisableForwarding = true;
+
+        # disallow remote hosts from connecting to forwarded ports
+        # i.e. forwarded ports are forced to bind to 127.0.0.1 instad of 0.0.0.0
+        GatewayPorts = "no";
+
+        # prevent tun device forwarding
+        PermitTunnel = false;
+
+        # suppress MOTD
+        PrintMotd = false;
+
+        # disable X11 forwarding since it is not necessary
+        X11Forwarding = false;
+
+        ########## Authentication ##########
+
+        AllowUsers = ["${user}"];
+
+        # Use keys only. Remove if you want to SSH using password (not recommended)
+        PasswordAuthentication = false;
+        HostbasedAuthentication = false;
+
+        # enable pubkey authentication
+        PubkeyAuthentication = true;
+
+        # Forbid root login through SSH.
+        PermitRootLogin = "no";
+
+        # nix enables pam by default
+        #UsePam = true;
+
+        ########## Cryptography ##########
+
+        # explicitly define cryptography algorithms to avoid the use of weak algorithms
+        # AES CTR modes have been removed to mitigate the Terrapin attack
+        #   https://terrapin-attack.com/
+
+        Ciphers = ["aes256-gcm@openssh.com" "aes128-gcm@openssh.com"];
+        Macs = ["hmac-sha2-256-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com"];
+        KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group16-sha512" "diffie-hellman-group18-sha512"];
+
+        ########## Connection Preferences ##########
+
+        # enforce SSH server to only use SSH protocol version 2
+        # SSHv1 contains security issues and should be avoided at all costs
+        # SSHv1 is disabled by default after OpenSSH 7.0, but this option is
+        #   specified anyways to ensure this configuration file's compatibility
+        #   with older versions of OpenSSH server
+        Protocol = 2;
+
+        # number of client alive messages sent without client responding
+        ClientAliveCountMax = 2;
+
+        # send a keepalive message to the client when the session has been idle for 300 seconds
+        # this prevents/detects connection timeouts
+        ClientAliveInterval = 300;
+
+        # compression before encryption might cause security issues
+        Compression = false;
+
+        # prevent SSH trust relationships from allowing lateral movements
+        IgnoreRhosts = true;
+
+        # log verbosely for addtional information
+        LogLevel = "VERBOSE";
+
+        # allow a maximum of two multiplexed sessions over a single TCP connection
+        MaxSessions = 2;
+      };
+    };
+  };
+}
--- a/common/nixos/ssh/ssh_client.nix
+++ b/common/nixos/ssh/ssh_client.nix
@ -1,37 +1,45 @@
-{...}: {
-  programs.ssh = {
-    # disable unnecessary forwardings
-    forwardX11 = false;
+{
+  config,
+  lib,
+  ...
+}: {
+  options = {
+    ssh_client.enable = lib.mkEnableOption "enable ssh client settings";
+  };
+  config = lib.mkIf config.ssh_client.enable {
+    programs.ssh = {
+      # disable unnecessary forwardings
+      forwardX11 = false;

-    # explicitly define cryptography algorithms to avoid the use of weak algorithms
-    # AES CTR modes have been removed to mitigate the Terrapin attack
-    # https://terrapin-attack.com/
-    ciphers = [
-      "aes256-gcm@openssh.com"
-      "aes128-gcm@openssh.com"
-    ];
-    hostKeyAlgorithms = [
-      "ssh-ed25519"
-      "ssh-ed25519-cert-v01@openssh.com"
-      "sk-ssh-ed25519@openssh.com"
-      "sk-ssh-ed25519-cert-v01@openssh.com"
-      "rsa-sha2-256"
-      "rsa-sha2-256-cert-v01@openssh.com"
-      "rsa-sha2-512"
-      "rsa-sha2-512-cert-v01@openssh.com"
-    ];
-    macs = [
-      "hmac-sha2-256-etm@openssh.com"
-      "hmac-sha2-512-etm@openssh.com"
-      "umac-128-etm@openssh.com"
-    ];
-    kexAlgorithms = [
-      "curve25519-sha256"
-      "curve25519-sha256@libssh.org"
-      "diffie-hellman-group16-sha512"
-      "diffie-hellman-group18-sha512"
-    ];
-    extraConfig = "
+      # explicitly define cryptography algorithms to avoid the use of weak algorithms
+      # AES CTR modes have been removed to mitigate the Terrapin attack
+      # https://terrapin-attack.com/
+      ciphers = [
+        "aes256-gcm@openssh.com"
+        "aes128-gcm@openssh.com"
+      ];
+      hostKeyAlgorithms = [
+        "ssh-ed25519"
+        "ssh-ed25519-cert-v01@openssh.com"
+        "sk-ssh-ed25519@openssh.com"
+        "sk-ssh-ed25519-cert-v01@openssh.com"
+        "rsa-sha2-256"
+        "rsa-sha2-256-cert-v01@openssh.com"
+        "rsa-sha2-512"
+        "rsa-sha2-512-cert-v01@openssh.com"
+      ];
+      macs = [
+        "hmac-sha2-256-etm@openssh.com"
+        "hmac-sha2-512-etm@openssh.com"
+        "umac-128-etm@openssh.com"
+      ];
+      kexAlgorithms = [
+        "curve25519-sha256"
+        "curve25519-sha256@libssh.org"
+        "diffie-hellman-group16-sha512"
+        "diffie-hellman-group18-sha512"
+      ];
+      extraConfig = "
      # disable unnecessary forwardings
      ForwardAgent no
      ForwardX11Trusted no
@ -72,5 +80,6 @@
      # display an ASCII art of the server's host key
      VisualHostKey yes
    ";
+    };
  };
 }
--- a/common/nixos/ssh/ssh_guard.nix
+++ b/common/nixos/ssh/ssh_guard.nix
@ -0,0 +1,21 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  options = {
+    ssh_guard.enable = lib.mkEnableOption "enable ssh guard";
+  };
+  config = lib.mkIf config.ssh_guard.enable {
+    services.sshguard = {
+      enable = true;
+      services = [
+        "sshd"
+      ];
+      blocktime = 120;
+      detection_time = 1800;
+      blacklist_threshold = 120;
+      blacklist_file = "/var/lib/sshguard/blacklist.db";
+    };
+  };
+}
--- a/common/nixos/ssh_guard.nix
+++ b/common/nixos/ssh_guard.nix
@ -1,12 +0,0 @@
-{...}: {
-  services.sshguard = {
-    enable = true;
-    services = [
-      "sshd"
-    ];
-    blocktime = 120;
-    detection_time = 1800;
-    blacklist_threshold = 120;
-    blacklist_file = "/var/lib/sshguard/blacklist.db";
-  };
-}