From b794652a36d905f93022dad5a60eb30b157ea4a9 Mon Sep 17 00:00:00 2001
From: uku <hi@uku.moe>
Date: Thu, 20 Jun 2024 16:49:12 +0200
Subject: [PATCH] feat: harden openssh server

---
 configs/common.nix |  5 -----
 configs/server.nix | 14 +++++++++++++-
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/configs/common.nix b/configs/common.nix
index 80077dd..2165e20 100644
--- a/configs/common.nix
+++ b/configs/common.nix
@@ -113,11 +113,6 @@ in {
   };
 
   services = {
-    openssh = {
-      enable = true;
-      openFirewall = lib.mkDefault false;
-    };
-
     vscode-server.enable = true;
 
     resolved = {
diff --git a/configs/server.nix b/configs/server.nix
index 0078cfb..ebd3c6e 100644
--- a/configs/server.nix
+++ b/configs/server.nix
@@ -1,3 +1,15 @@
 {
-  services.tailscale.extraUpFlags = ["--advertise-exit-node"];
+  services = {
+    tailscale.extraUpFlags = ["--advertise-exit-node"];
+
+    openssh = {
+      enable = true;
+      settings = {
+        PermitRootLogin = "no";
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        X11Forwarding = false;
+      };
+    };
+  };
 }