# Common SSH configuration.
# Sources for this configuration:
# - https://nixos.org/manual/nixos/stable/#sec-ssh
# - https://infosec.mozilla.org/guidelines/openssh
# - Julians deploy_ssh_server_config Ansible role

{ config, pkgs, ... }:

{
  services.openssh = {
    enable = true;

    openFirewall = true;

    settings = {
      # Set KexAlgorithms to match Mozilla Modern guideline as of 2023-09-09.
      KexAlgorithms = [
        "curve25519-sha256@libssh.org"
        "ecdh-sha2-nistp521"
        "ecdh-sha2-nistp384"
        "ecdh-sha2-nistp256"
        "diffie-hellman-group-exchange-sha256"
      ];
      # Macs seem reasonable as the default of NixOS 23.05 is a subset of the Mozilla Modern guideline as of 2023-09-09.
      # Ciphers seem reasonable as the default of NixOS 23.05 matches the Mozilla Modern guideline as of 2023-09-09.

      # X11 Forwarding shouldn't be needed.
      X11Forwarding = false;

      # Don't allow root login.
      PermitRootLogin = "no";

      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;

      # Set this according to Mozilla Modern guideline as of 2023-09-09.
      # The guidelines description:
      # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a
      # clear audit track of which key was using to log in.
      LogLevel = "VERBOSE";
    };

    # Set those according to Mozilla Modern guideline as of 2023-09-09.
    # The guidelines description:
    # Log sftp level file access (read/write/etc.) that would not be easily
    # logged otherwise.
    sftpFlags = [
      "-f AUTHPRIV"
      "-l INFO"
    ];
  };
}