Merge pull request 'merge master' (#1) from Unitoo/dot-files:master into master

Reviewed-on: https://gitea.it/claudiomaradonna/dot-files/pulls/1

etc/systemd/system/certbot-renewal.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Automatically renews SSL certificates obtained with certbot
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/certbot renew -q --post-hook /usr/local/bin/certbot-restart-nginx

etc/systemd/system/certbot-renewal.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=This is the timer schedule Automatic renewals of SSL certificates obtained with certbot
+
+[Timer]
+OnCalendar=daily
+RandomizedDelaySec=6hours
+Persistent=true
+
+[Install]
+WantedBy=timers.target

ssh/etc/ssh/sshd_config

@@ -1,27 +1,52 @@
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
+Protocol 2                                  	                # Protocol 1 is fundamentally broken
+StrictModes yes                                                 # Protects from misconfiguration
 
-SyslogFacility AUTHPRIV
+#ListenAddress [ip-here]                                        # Listening address
+Port 22                                                         # Listening port. Normal 22
 
-AllowGroups sshlogin
-
-PermitRootLogin WITHOUT-PASSWORD
-PubkeyAuthentication yes
+AuthenticationMethods publickey                                 # Only public key authentication allowed
 AuthorizedKeysFile .ssh/authorized_keys
-IgnoreRhosts yes
-MaxSessions 4
-MaxAuthTries 4
-ClientAliveCountMax 2
-LogLevel VERBOSE
-PasswordAuthentication no
-ChallengeResponseAuthentication no
-GSSAPIAuthentication no
-UsePAM yes
-PrintMotd no
-X11Forwarding no
-AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
-AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
-AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
-AcceptEnv XMODIFIERS
-Subsystem       sftp    /usr/lib/openssh/sftp-server
+PubkeyAuthentication yes                                        # Allow public key authentication
+HostKey /etc/ssh/ssh_host_ed25519_key                           # Only allow ECDSA pubic key authentication
+HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519  # Host keys the client should accepts
+KexAlgorithms curve25519-sha256                                 # Specifies the available KEX (Key Exchange) algorithms
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com    # Specifies the ciphers allowed
+MACs hmac-sha2-512-etm@openssh.com                		# Specifies the available MAC alg.
+
+#Only allow incoming ECDSA and ed25519 sessions:
+HostbasedAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
+PubkeyAcceptedKeyTypes sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,ssh-ed25519
+#CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
+
+PermitRootLogin WITHOUT-PASSWORD                                # Enable/disable root login
+#AllowUsers [username]                                          # Authorized SSH users are inside the admin group
+MaxAuthTries 5                                                  # Maximum allowed authentication attempts
+MaxSessions 2                                                   # Maximum allowed sessions by the user
+
+PasswordAuthentication no                                       # No username password authentication
+PermitEmptyPasswords no                                         # No empty password authentcation allowed
+IgnoreRhosts yes                                                # Dont read users rhost files
+HostbasedAuthentication no                                      # Disable host-based authentication
+ChallengeResponseAuthentication no                              # Unused authentication scheme
+X11Forwarding no                                                # Disable X11 forwarding
+
+LogLevel VERBOSE                                                # Fingerprint details of failed login attempts
+SyslogFacility AUTH                                             # Logging authentication and authorization related commands
+UseDNS no                                                       # Client from a location without proper DNS generate a warning in the logs
+
+PermitTunnel no                                                 # Only SSH connection and nothing else
+AllowTcpForwarding no                                           # Disablow tunneling out via SSH
+AllowStreamLocalForwarding no                                   # Disablow tunneling out via SSH
+GatewayPorts no                                                 # Disablow tunneling out via SSH
+AllowAgentForwarding no                                         # Do not allow agent forwarding
+
+#Banner /etc/issue.net                                           # Show legal login banner
+PrintLastLog yes                                                # Show last login
+
+ClientAliveInterval 900                                         # Client timeout (15 minutes)
+ClientAliveCountMax 0                                           # This way enforces timeouts on the server side
+LoginGraceTime 30                                               # Authenticatin must happen within 30 seconds
+MaxStartups 2                                                   # Max concurrent SSH sessions
+TCPKeepAlive yes                                                # Do not use TCP keep-alive
+
+AcceptEnv LANG LC_*                                             # Allow client to pass locale environment variables

usr/local/bin/certbot-restart-nginx

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
+
+nginx -tq && systemctl restart nginx