summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2023-02-27 15:08:09 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2023-02-27 15:08:09 +0100
commit37292c1c8d2a7b3038fdad635372bbccd833e698 (patch)
tree5f23d9710e94246ef33a4b729e3b0d17dde89be9
parent4800e3a8c7e9f6bbb668c50a29f689a83de223c7 (diff)
downloadnixos-37292c1c8d2a7b3038fdad635372bbccd833e698.tar
nixos-37292c1c8d2a7b3038fdad635372bbccd833e698.tar.gz
nixos-37292c1c8d2a7b3038fdad635372bbccd833e698.tar.bz2
nixos-37292c1c8d2a7b3038fdad635372bbccd833e698.tar.xz
nixos-37292c1c8d2a7b3038fdad635372bbccd833e698.zip
...
-rw-r--r--system-profiles/openssh/default.nix17
1 files changed, 9 insertions, 8 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index 221dac3c..929a5bdd 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -17,21 +17,22 @@ in {
17 17
18 services.openssh = mkIf cfg.enable { 18 services.openssh = mkIf cfg.enable {
19 hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually 19 hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually
20 ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ]; 20 settings = {
21 macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ]; 21 Ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];
22 kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; 22 Macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];
23 KexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
24 LogLevel = "VERBOSE";
25 HostKeyAlgorithms = [ "sk-ssh-ed25519-cert-v01@openssh.com" "ssh-ed25519-cert-v01@openssh.com" "rsa-sha2-256-cert-v01@openssh.com" "rsa-sha2-512-cert-v01@openssh.com" "sk-ssh-ed25519@openssh.com" "ssh-ed25519" "rsa-sha2-256" "rsa-sha2-512" ];
26 CASignatureAlgorithms = [ "sk-ssh-ed25519@openssh.com" "ssh-ed25519" "rsa-sha2-256" "rsa-sha2-512" ];
27 RevokedKeys = "/etc/ssh/krl.bin";
28 };
23 moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path; 29 moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path;
24 extraConfig = '' 30 extraConfig = ''
25 HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
26 CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
27
28 ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_ed25519_key"} 31 ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_ed25519_key"}
29 ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"} 32 ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"}
30 ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_rsa_key"} 33 ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_rsa_key"}
31 ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"} 34 ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"}
32 RevokedKeys /etc/ssh/krl.bin
33 ''; 35 '';
34 logLevel = "VERBOSE";
35 }; 36 };
36 37
37 programs.ssh = { 38 programs.ssh = {