nix/services/openssh.nix

{ config, pkgs, hostname, ... }: {
  services.openssh = {
    enable = true;
    # Defaults to true -- I don't like it when services default to true for opening firewalls.
    openFirewall = false;
    settings = {
      LogLevel = "VERBOSE"; # Used for fail2ban monitoring
      PermitRootLogin = "no";
      PasswordAuthentication = true; # Set this to false when keys are configured
    };
    banner = ''
    --
    Welcome to ${hostname}

    You are accessing a U.S. Government (USG) Information 
    System (IS) that is provided for USG-authorized use only.

    By using this IS (which includes any device attached to 
    this IS), you consent to the following conditions:
    
    - The USG routinely intercepts and monitors communications 
      on this IS for purposes including, but not limited 
      to, renetration testing, COMSEC monitoring, network 
      operations and defense, personnel misconduct (PM), law 
      enforcement (LE),  and counterintelligence (CI) 
      investigations.
    
    - At any time, the USG may inspect and seize data stored 
      on this IS.
    
    - Communications using, or data stored on, this IS are not 
      private, are subject to routine monitoring, interception, 
      and search, and may be disclosed or used for any 
      USG-authorized purpose.
    
    - This IS includes security measures (e.g., authentication 
      and access controls) to protect USG interests--not for 
      your personal benefit or privacy.
    
    - Notwithstanding the above, using this IS does not 
      constitute consent to PM, LE or CI investigative 
      searching or monitoring of the content of privileged 
      communications, or work product, elated to personal 
      representation or services by attorneys, psychotherapists, 
      or clergy, and their assistants. Such communications 
      and work product are private and confidential. See User 
      Agreement for details. 

    --
    '';
  };

  # Enable GPG Agent support:
  programs.gnupg.agent.enableSSHSupport = true;
}
rearrange things 2023-07-12 08:08:57 +02:00			`{ config, pkgs, hostname, ... }: {`
Update ssh info 2023-07-04 08:21:25 +02:00			`services.openssh = {`
			`enable = true;`
rearrange things 2023-07-12 08:08:57 +02:00			`# Defaults to true -- I don't like it when services default to true for opening firewalls.`
test 2023-07-06 12:58:22 +02:00			`openFirewall = false;`
rearrange settings 2023-07-04 08:40:32 +02:00			`settings = {`
			`LogLevel = "VERBOSE"; # Used for fail2ban monitoring`
			`PermitRootLogin = "no";`
			`PasswordAuthentication = true; # Set this to false when keys are configured`
			`};`
Update ssh info 2023-07-04 08:21:25 +02:00			`banner = ''`
Update the banner 2023-07-04 08:41:28 +02:00			`--`
rearrange things 2023-07-12 08:08:57 +02:00			`Welcome to ${hostname}`
Update ssh banner 2023-07-04 08:47:21 +02:00
Update ssh info 2023-07-04 08:21:25 +02:00			`You are accessing a U.S. Government (USG) Information`
			`System (IS) that is provided for USG-authorized use only.`

			`By using this IS (which includes any device attached to`
			`this IS), you consent to the following conditions:`

			`- The USG routinely intercepts and monitors communications`
Update ssh banner 2023-07-04 08:47:21 +02:00			`on this IS for purposes including, but not limited`
			`to, renetration testing, COMSEC monitoring, network`
			`operations and defense, personnel misconduct (PM), law`
			`enforcement (LE), and counterintelligence (CI)`
			`investigations.`
Update ssh info 2023-07-04 08:21:25 +02:00
Update ssh banner 2023-07-04 08:47:21 +02:00			`- At any time, the USG may inspect and seize data stored`
			`on this IS.`
Update ssh info 2023-07-04 08:21:25 +02:00
			`- Communications using, or data stored on, this IS are not`
			`private, are subject to routine monitoring, interception,`
Update ssh banner 2023-07-04 08:47:21 +02:00			`and search, and may be disclosed or used for any`
			`USG-authorized purpose.`
Update ssh info 2023-07-04 08:21:25 +02:00
Update ssh banner 2023-07-04 08:47:21 +02:00			`- This IS includes security measures (e.g., authentication`
			`and access controls) to protect USG interests--not for`
			`your personal benefit or privacy.`
Update ssh info 2023-07-04 08:21:25 +02:00
Update ssh banner 2023-07-04 08:47:21 +02:00			`- Notwithstanding the above, using this IS does not`
			`constitute consent to PM, LE or CI investigative`
			`searching or monitoring of the content of privileged`
			`communications, or work product, elated to personal`
			`representation or services by attorneys, psychotherapists,`
			`or clergy, and their assistants. Such communications`
			`and work product are private and confidential. See User`
			`Agreement for details.`
Update the banner 2023-07-04 08:41:28 +02:00
test 2023-07-05 14:24:39 +02:00			`--`
Update ssh info 2023-07-04 08:21:25 +02:00			`'';`
			`};`
Add GPG agent support to SSH 2023-07-04 08:29:10 +02:00
			`# Enable GPG Agent support:`
test 2023-07-04 08:39:32 +02:00			`programs.gnupg.agent.enableSSHSupport = true;`
Update 2023-07-04 07:44:25 +02:00			`}`