diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2023-02-27 15:08:09 +0100 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2023-02-27 15:08:09 +0100 |
| commit | 37292c1c8d2a7b3038fdad635372bbccd833e698 (patch) | |
| tree | 5f23d9710e94246ef33a4b729e3b0d17dde89be9 | |
| parent | 4800e3a8c7e9f6bbb668c50a29f689a83de223c7 (diff) | |
| download | nixos-37292c1c8d2a7b3038fdad635372bbccd833e698.tar nixos-37292c1c8d2a7b3038fdad635372bbccd833e698.tar.gz nixos-37292c1c8d2a7b3038fdad635372bbccd833e698.tar.bz2 nixos-37292c1c8d2a7b3038fdad635372bbccd833e698.tar.xz nixos-37292c1c8d2a7b3038fdad635372bbccd833e698.zip | |
...
| -rw-r--r-- | system-profiles/openssh/default.nix | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 221dac3c..929a5bdd 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix | |||
| @@ -17,21 +17,22 @@ in { | |||
| 17 | 17 | ||
| 18 | services.openssh = mkIf cfg.enable { | 18 | services.openssh = mkIf cfg.enable { |
| 19 | hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually | 19 | hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually |
| 20 | ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ]; | 20 | settings = { |
| 21 | macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ]; | 21 | Ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ]; |
| 22 | kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; | 22 | Macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ]; |
| 23 | KexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; | ||
| 24 | LogLevel = "VERBOSE"; | ||
| 25 | HostKeyAlgorithms = [ "sk-ssh-ed25519-cert-v01@openssh.com" "ssh-ed25519-cert-v01@openssh.com" "rsa-sha2-256-cert-v01@openssh.com" "rsa-sha2-512-cert-v01@openssh.com" "sk-ssh-ed25519@openssh.com" "ssh-ed25519" "rsa-sha2-256" "rsa-sha2-512" ]; | ||
| 26 | CASignatureAlgorithms = [ "sk-ssh-ed25519@openssh.com" "ssh-ed25519" "rsa-sha2-256" "rsa-sha2-512" ]; | ||
| 27 | RevokedKeys = "/etc/ssh/krl.bin"; | ||
| 28 | }; | ||
| 23 | moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path; | 29 | moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path; |
| 24 | extraConfig = '' | 30 | extraConfig = '' |
| 25 | HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512 | ||
| 26 | CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512 | ||
| 27 | |||
| 28 | ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_ed25519_key"} | 31 | ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_ed25519_key"} |
| 29 | ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"} | 32 | ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"} |
| 30 | ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_rsa_key"} | 33 | ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_rsa_key"} |
| 31 | ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"} | 34 | ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"} |
| 32 | RevokedKeys /etc/ssh/krl.bin | ||
| 33 | ''; | 35 | ''; |
| 34 | logLevel = "VERBOSE"; | ||
| 35 | }; | 36 | }; |
| 36 | 37 | ||
| 37 | programs.ssh = { | 38 | programs.ssh = { |