forked from pub-solar/infra
teutat3s
d5922ff2b8
systemd https://github.com/systemd/systemd/issues/10579 Without this change, there are random SERVFAIL responses with Greenbaum DNS when using allow-downgrade. Fixes DNS queries for lev-1.int.greenbaum.zone ❯ dig obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone ; <<>> DiG 9.18.19 <<>> obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1871 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone. IN A ;; ANSWER SECTION: obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone. 22 IN A 192.168.128.82 ;; Query time: 105 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ;; WHEN: Thu Nov 09 10:38:02 UTC 2023 ;; MSG SIZE rcvd: 121
41 lines
1.5 KiB
Nix
41 lines
1.5 KiB
Nix
{ pkgs, ... }: {
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
PermitRootLogin = "prohibit-password";
|
|
PasswordAuthentication = false;
|
|
# Add back openssh MACs that got removed from defaults
|
|
# for backwards compatibility
|
|
#
|
|
# NixOS default openssh MACs have changed to use "encrypt-then-mac" only.
|
|
# This breaks compatibilty with clients that do not offer these MACs. For
|
|
# compatibility reasons, we add back the old defaults.
|
|
# See: https://github.com/NixOS/nixpkgs/pull/231165
|
|
#
|
|
# https://blog.stribik.technology/2015/01/04/secure-secure-shell.html
|
|
# https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
|
|
Macs = [
|
|
"hmac-sha2-512-etm@openssh.com"
|
|
"hmac-sha2-256-etm@openssh.com"
|
|
"umac-128-etm@openssh.com"
|
|
"hmac-sha2-512"
|
|
"hmac-sha2-256"
|
|
"umac-128@openssh.com"
|
|
];
|
|
};
|
|
};
|
|
|
|
services.resolved = {
|
|
enable = true;
|
|
# DNSSEC=false because of random SERVFAIL responses with Greenbaum DNS
|
|
# when using allow-downgrade, see https://github.com/systemd/systemd/issues/10579
|
|
extraConfig = ''
|
|
DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
|
|
FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net
|
|
Domains=~.
|
|
DNSOverTLS=yes
|
|
DNSSEC=false
|
|
'';
|
|
};
|
|
}
|