From 60280c2897cc9adac37e70ff17ca71573e52304f Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com>
Date: Wed, 22 Oct 2025 17:28:44 +1100
Subject: [PATCH] feat: harden sshd on server

---
 hosts/server/configuration.nix | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix
index 0311fe3..8854a0d 100644
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -25,7 +25,19 @@
 
   networking.hostName = "${hostName}";
 
-  services.openssh.enable = true;
+  # hardened openssh
+  services.openssh = {
+    passwordAuthentication = false;
+    allowSFTP = false; 
+    challengeResponseAuthentication = false;
+    extraConfig = ''
+      AllowTcpForwarding yes
+      X11Forwarding no
+      AllowAgentForwarding no
+      AllowStreamLocalForwarding no
+      AuthenticationMethods publickey
+    '';
+  };
 
   system.stateVersion = "24.11";