# TCP port to bind to
Port {{ ssh_port }}

AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {{ me.user }}@{{ tailscale_cidr }} {{ ssh_extra_allowed_users }}

# Bind to all interfaces
ListenAddress 0.0.0.0

# Force SSHv2 Protocol
Protocol 2

HostKey /etc/ssh/ssh_host_ed25519_key

# Public key authentication + Password authentication
PubkeyAuthentication yes
AuthenticationMethods publickey

# Disable root SSH access
PermitRootLogin no

# Client timeout
ClientAliveInterval 60
ClientAliveCountMax 60

# Compression (only after authentication)
Compression delayed

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication must happen within 10 seconds
LoginGraceTime 10

MaxAuthTries 3
PermitEmptyPasswords no

# Check user folder permissions before allowing access
StrictModes yes

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# Disable unused authentication schemes
HostbasedAuthentication no
KbdInteractiveAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
UsePAM no

# X11 support
X11Forwarding no

PrintMotd yes
PrintLastLog yes

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp internal-sftp

# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com
# hardening guide.
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com

RequiredRSASize 3072

HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
