Protocol 2
Port ${port}

# Drop idle sessions:
ClientAliveCountMax 3
ClientAliveInterval 15

# Allow reverse tunnels:
GatewayPorts yes

# Miscellaneous:
PrintMotd no

# Hardening.
# Source: https://infosec.mozilla.org/guidelines/openssh.html

# Only Ed25519:
HostKey /etc/ssh/ssh_host_ed25519_key

# Only the first choices for ciphers:
KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

# No password login:
PasswordAuthentication no
AuthenticationMethods publickey
# Whitelist users:
PermitRootLogin no
AllowGroups ${join(" ", users)}

# Log things:
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO

# Whitelist accepted environment variables:
AcceptEnv LANG LC_*

# Why the fuck would I need X11 forwarding?
X11Forwarding no