nix/nixos/common/services/openssh.nix
2023-12-13 21:01:21 +09:00

59 lines
No EOL
2.2 KiB
Nix

{ config, pkgs, hostname, ... }: {
# enable passwordless elevation
# Useful for deploy-rs
security.pam.enableSSHAgentAuth = true;
programs.ssh.startAgent = true;
programs.ssh.agentTimeout = "1h";
# By default no ports are open.
# When ./tailscale.nix is imported, port 22 on the tailscale interface is then opened.
services.openssh = {
enable = true;
# Defaults to true -- I don't like it when services default to true for opening firewalls.
openFirewall = false;
settings = {
LogLevel = "VERBOSE"; # Used for fail2ban monitoring
PermitRootLogin = "no";
PasswordAuthentication = false;
};
banner = ''
--
Welcome to ${hostname}
You are accessing a U.S. Government (USG) Information
System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to
this IS), you consent to the following conditions:
- The USG routinely intercepts and monitors communications
on this IS for purposes including, but not limited
to, renetration testing, COMSEC monitoring, network
operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI)
investigations.
- At any time, the USG may inspect and seize data stored
on this IS.
- Communications using, or data stored on, this IS are not
private, are subject to routine monitoring, interception,
and search, and may be disclosed or used for any
USG-authorized purpose.
- This IS includes security measures (e.g., authentication
and access controls) to protect USG interests--not for
your personal benefit or privacy.
- Notwithstanding the above, using this IS does not
constitute consent to PM, LE or CI investigative
searching or monitoring of the content of privileged
communications, or work product, elated to personal
representation or services by attorneys, psychotherapists,
or clergy, and their assistants. Such communications
and work product are private and confidential. See User
Agreement for details.
--
'';
};
}