openssh.nix

 1_: {
 2  services = {
 3    openssh = {
 4      enable = true;
 5      openFirewall = true;
 6      settings = {
 7        # Authentication
 8        PasswordAuthentication = false;
 9        PermitRootLogin = "without-password";
10        KbdInteractiveAuthentication = false;
11        PermitUserEnvironment = false;
12      };
13      extraConfig = ''
14        StreamLocalBindUnlink yes
15
16        # Only allow strong key types (Ed25519, ECDSA, RSA, plus FIDO2/security key variants)
17        PubkeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
18      '';
19    };
20    sshguard.enable = true;
21  };
22  security.pam.sshAgentAuth.enable = true;
23}