diff --git a/systems/configuration.nix b/systems/configuration.nix index a373d56..384db50 100644 --- a/systems/configuration.nix +++ b/systems/configuration.nix @@ -29,6 +29,22 @@ enable = true; fixPermissions = true; extraConfig = ''StreamLocalBindUnlink yes''; + # below is a modified default to include ecdsa (as per this https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67) + hostKeys = [ + { + bits = 4096; + path = "/etc/ssh/ssh_host_rsa_key"; + type = "rsa"; + } + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/etc/ssh/ssh_host_ecdsa_key"; + type = "ecdsa"; + } + ]; settings = { PermitRootLogin = "no"; PasswordAuthentication = false; @@ -45,7 +61,7 @@ "aes192-ctr" "aes128-ctr" ]; - MACs = [ + Macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" @@ -53,22 +69,6 @@ "hmac-sha2-256" "umac-128@openssh.com" ]; - # below is a modified default to include ecdsa (as per this https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67) - hostKeys = [ - { - bits = 4096; - path = "/etc/ssh/ssh_host_rsa_key"; - type = "rsa"; - } - { - path = "/etc/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - { - path = "/etc/ssh/ssh_host_ecdsa_key"; - type = "ecdsa"; - } - ]; # below config options from Lynis recommendations ClientAliveCountMax =2; diff --git a/systems/palatine-hill/configuration.nix b/systems/palatine-hill/configuration.nix index 32bc89f..fa62907 100644 --- a/systems/palatine-hill/configuration.nix +++ b/systems/palatine-hill/configuration.nix @@ -50,7 +50,7 @@ smartd.enable = true; zfs = { trim.enable = true; - autoscrub.enable = true; + autoScrub.enable = true; }; };