grimm-nixos-laptop/hardening/systemd/sshd.nix
2025-01-15 11:01:27 +01:00

62 lines
1.4 KiB
Nix

{
lib,
config,
...
}:
{
config.systemd.services = {
sshd.serviceConfig = {
MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native";
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
SystemCallFilter = [
"@system-service"
"@privileged"
];
LockPersonality = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
PrivateMounts = true;
ProtectProc = "invisible";
ProtectClock = true;
ProtectHostname = true;
# file system
PrivateTmp = true;
ProtectSystem = "strict";
ReadWritePaths = "/etc/ssh";
RestrictRealtime = true;
DevicePolicy = "closed"; # allow pseudo-devices like /dev/null, but no real devices
CapabilityBoundingSet = [
"CAP_NET_BIND_SERVICE"
"CAP_SETGID"
"CAP_SETUID"
"CAP_SYS_CHROOT"
"cap_dac_override"
];
ProtectKernelLogs = true;
ProtectKernelTunables = true;
PrivateUsers = false; # important
ProtectHome = false; # important
NoNewPrivileges = false; # IMPORTANT: allow new privileges for spawned shells
PrivateNetwork = false; # important
};
};
}