Add hardened SSH config

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>

systems/configuration.nix

@@ -32,6 +32,56 @@
       settings = {
         PermitRootLogin = "no";
         PasswordAuthentication = false;
+        # below config options from https://sysadministrivia.com/news/hardening-ssh-security
+        KexAlgorithms = [
+          "curve25519-sha256@libssh.org"
+          "diffie-hellman-group-exchange-sha256"
+        ];
+        Ciphers = [
+          "chacha20-poly1305@openssh.com"
+          "aes256-gcm@openssh.com"
+          "aes128-gcm@openssh.com"
+          "aes256-ctr"
+          "aes192-ctr"
+          "aes128-ctr"
+        ];
+        MACs = [
+          "hmac-sha2-512-etm@openssh.com"
+          "hmac-sha2-256-etm@openssh.com"
+          "umac-128-etm@openssh.com"
+          "hmac-sha2-512"
+          "hmac-sha2-256"
+          "umac-128@openssh.com"
+        ];
+        # below is a modified default to include ecdsa (as per this https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67)
+        hostKeys = [
+          {
+            bits = 4096;
+            path = "/etc/ssh/ssh_host_rsa_key";
+            type = "rsa";
+          }
+          {
+            path = "/etc/ssh/ssh_host_ed25519_key";
+            type = "ed25519";
+          }
+          {
+            path = "/etc/ssh/ssh_host_ecdsa_key";
+            type = "ecdsa";
+          }
+        ];
+
+        # below config options from Lynis recommendations
+        ClientAliveCountMax =2;
+        Compression = "NO";
+        MaxAuthTries = 3;
+        MaxSessions = 2;
+        # Commenting below as I'm not sure if this will break things
+        # TCPKeepAlive = "NO";
+        # UseDNS = "NO";
+
+        # below config options from https://linux-audit.com/audit-and-harden-your-ssh-configuration/
+        IgnoreRhosts = "yes";
+        PermitEmptyPasswords = "no";
       };
     };
   };