ashie/nixos-vps
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Harden SSH and enable post-quantum key exchange (sntrup761x25519-sha512) for system and Forgejo

Browse source
This commit is contained in:
ashisgreat22 2026-03-19 00:05:12 +01:00
parent abf2080f91
commit f646c091cc
2 changed files with 18 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
configuration.nix
View file

@ -24,6 +24,20 @@
settings = { settings = {
PermitRootLogin = "no"; PermitRootLogin = "no";
PasswordAuthentication = false; PasswordAuthentication = false;
KexAlgorithms = [
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
];
Ciphers = [
"chacha20-poly1305@openssh.com"
"aes256-gcm@openssh.com"
];
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
];
}; };
}; };

4
modules/forgejo.nix
View file

@ -54,6 +54,10 @@ in
SSH_PORT = 2222; SSH_PORT = 2222;
START_SSH_SERVER = true; START_SSH_SERVER = true;
SSH_LISTEN_ADDR = "0.0.0.0"; SSH_LISTEN_ADDR = "0.0.0.0";
# SSH Hardening
SSH_SERVER_KEY_EXCHANGES = "sntrup761x25519-sha512,curve25519-sha256,curve25519-sha256@libssh.org";
SSH_SERVER_CIPHERS = "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com";
SSH_SERVER_MACS = "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com";
}; };
service = { service = {
DISABLE_REGISTRATION = cfg.disableRegistration; DISABLE_REGISTRATION = cfg.disableRegistration;