diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2023-03-20 12:01:42 +0100 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2023-03-20 12:01:42 +0100 |
| commit | 9e0f84316df0504d73320495c51fe3bd7f968e7d (patch) | |
| tree | a4f095f2200d3987f4837209bd5188241b13ec53 | |
| parent | 89749d73a82bd0bfdfa225be06a6db8e82371ff4 (diff) | |
| download | nixos-9e0f84316df0504d73320495c51fe3bd7f968e7d.tar nixos-9e0f84316df0504d73320495c51fe3bd7f968e7d.tar.gz nixos-9e0f84316df0504d73320495c51fe3bd7f968e7d.tar.bz2 nixos-9e0f84316df0504d73320495c51fe3bd7f968e7d.tar.xz nixos-9e0f84316df0504d73320495c51fe3bd7f968e7d.zip | |
...
| -rw-r--r-- | hosts/eostre/default.nix | 1 | ||||
| -rw-r--r-- | system-profiles/openssh/default.nix | 102 |
2 files changed, 92 insertions, 11 deletions
diff --git a/hosts/eostre/default.nix b/hosts/eostre/default.nix index 2752d136..b6864833 100644 --- a/hosts/eostre/default.nix +++ b/hosts/eostre/default.nix | |||
| @@ -100,6 +100,7 @@ with lib; | |||
| 100 | 100 | ||
| 101 | services.openssh = { | 101 | services.openssh = { |
| 102 | enable = true; | 102 | enable = true; |
| 103 | startWhenNeeded = true; | ||
| 103 | settings = { | 104 | settings = { |
| 104 | PasswordAuthentication = true; | 105 | PasswordAuthentication = true; |
| 105 | KbdInteractiveAuthentication = true; | 106 | KbdInteractiveAuthentication = true; |
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 8f0bd11b..8960fbb0 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix | |||
| @@ -6,9 +6,50 @@ let | |||
| 6 | cfg = config.services.openssh; | 6 | cfg = config.services.openssh; |
| 7 | in { | 7 | in { |
| 8 | options = { | 8 | options = { |
| 9 | services.openssh.staticHostKeys = mkOption { | 9 | services.openssh = { |
| 10 | type = types.bool; | 10 | staticHostKeys = mkOption { |
| 11 | default = pathExists (./host-keys + "/${hostName}.yaml"); | 11 | type = types.bool; |
| 12 | default = pathExists (./host-keys + "/${hostName}.yaml"); | ||
| 13 | }; | ||
| 14 | settings.HostKeyAlgorithms = mkOption { | ||
| 15 | type = types.listOf types.str; | ||
| 16 | default = [ | ||
| 17 | "ssh-ed25519" | ||
| 18 | "ssh-ed25519-cert-v01@openssh.com" | ||
| 19 | "sk-ssh-ed25519@openssh.com" | ||
| 20 | "sk-ssh-ed25519-cert-v01@openssh.com" | ||
| 21 | "ecdsa-sha2-nistp256" | ||
| 22 | "ecdsa-sha2-nistp256-cert-v01@openssh.com" | ||
| 23 | "ecdsa-sha2-nistp384" | ||
| 24 | "ecdsa-sha2-nistp384-cert-v01@openssh.com" | ||
| 25 | "ecdsa-sha2-nistp521" | ||
| 26 | "ecdsa-sha2-nistp521-cert-v01@openssh.com" | ||
| 27 | "sk-ecdsa-sha2-nistp256@openssh.com" | ||
| 28 | "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" | ||
| 29 | "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" | ||
| 30 | "ssh-dss" | ||
| 31 | "ssh-dss-cert-v01@openssh.com" | ||
| 32 | "ssh-rsa" | ||
| 33 | "ssh-rsa-cert-v01@openssh.com" | ||
| 34 | "rsa-sha2-256" | ||
| 35 | "rsa-sha2-256-cert-v01@openssh.com" | ||
| 36 | "rsa-sha2-512" | ||
| 37 | "rsa-sha2-512-cert-v01@openssh.com" | ||
| 38 | ]; | ||
| 39 | }; | ||
| 40 | settings.CASignatureAlgorithms = mkOption { | ||
| 41 | type = types.listOf types.str; | ||
| 42 | default = [ | ||
| 43 | "ssh-ed25519" | ||
| 44 | "ecdsa-sha2-nistp256" | ||
| 45 | "ecdsa-sha2-nistp384" | ||
| 46 | "ecdsa-sha2-nistp521" | ||
| 47 | "sk-ssh-ed25519@openssh.com" | ||
| 48 | "sk-ecdsa-sha2-nistp256@openssh.com" | ||
| 49 | "rsa-sha2-512" | ||
| 50 | "rsa-sha2-256" | ||
| 51 | ]; | ||
| 52 | }; | ||
| 12 | }; | 53 | }; |
| 13 | }; | 54 | }; |
| 14 | 55 | ||
| @@ -24,10 +65,14 @@ in { | |||
| 24 | "aes256-ctr" | 65 | "aes256-ctr" |
| 25 | ]; | 66 | ]; |
| 26 | Macs = [ | 67 | Macs = [ |
| 68 | "umac-128-etm@openssh.com" | ||
| 27 | "hmac-sha2-256-etm@openssh.com" | 69 | "hmac-sha2-256-etm@openssh.com" |
| 28 | "hmac-sha2-256" | ||
| 29 | "hmac-sha2-512-etm@openssh.com" | 70 | "hmac-sha2-512-etm@openssh.com" |
| 71 | "umac-128@openssh.com" | ||
| 72 | "hmac-sha2-256" | ||
| 30 | "hmac-sha2-512" | 73 | "hmac-sha2-512" |
| 74 | "umac-64-etm@openssh.com" | ||
| 75 | "umac-64@openssh.com" | ||
| 31 | ]; | 76 | ]; |
| 32 | KexAlgorithms = [ | 77 | KexAlgorithms = [ |
| 33 | "sntrup761x25519-sha512@openssh.com" | 78 | "sntrup761x25519-sha512@openssh.com" |
| @@ -35,7 +80,7 @@ in { | |||
| 35 | "curve25519-sha256@libssh.org" | 80 | "curve25519-sha256@libssh.org" |
| 36 | "diffie-hellman-group-exchange-sha256" | 81 | "diffie-hellman-group-exchange-sha256" |
| 37 | ]; | 82 | ]; |
| 38 | HostKeyAlgorithms = concatStringsSep "," [ | 83 | HostKeyAlgorithms = [ |
| 39 | "sk-ssh-ed25519-cert-v01@openssh.com" | 84 | "sk-ssh-ed25519-cert-v01@openssh.com" |
| 40 | "ssh-ed25519-cert-v01@openssh.com" | 85 | "ssh-ed25519-cert-v01@openssh.com" |
| 41 | "rsa-sha2-256-cert-v01@openssh.com" | 86 | "rsa-sha2-256-cert-v01@openssh.com" |
| @@ -45,7 +90,7 @@ in { | |||
| 45 | "rsa-sha2-256" | 90 | "rsa-sha2-256" |
| 46 | "rsa-sha2-512" | 91 | "rsa-sha2-512" |
| 47 | ]; | 92 | ]; |
| 48 | CASignatureAlgorithms = concatStringsSep "," [ | 93 | CASignatureAlgorithms = [ |
| 49 | "sk-ssh-ed25519@openssh.com" | 94 | "sk-ssh-ed25519@openssh.com" |
| 50 | "ssh-ed25519" | 95 | "ssh-ed25519" |
| 51 | "rsa-sha2-256" | 96 | "rsa-sha2-256" |
| @@ -79,11 +124,46 @@ in { | |||
| 79 | ./known-hosts/borgbase.keys | 124 | ./known-hosts/borgbase.keys |
| 80 | ]; | 125 | ]; |
| 81 | 126 | ||
| 82 | ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ]; | 127 | ciphers = [ |
| 83 | hostKeyAlgorithms = [ "sk-ssh-ed25519-cert-v01@openssh.com" "ssh-ed25519-cert-v01@openssh.com" "rsa-sha2-256-cert-v01@openssh.com" "rsa-sha2-512-cert-v01@openssh.com" "sk-ssh-ed25519@openssh.com" "ssh-ed25519" "rsa-sha2-256" "rsa-sha2-512" ]; | 128 | "chacha20-poly1305@openssh.com" |
| 84 | kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; | 129 | "aes256-gcm@openssh.com" |
| 85 | macs = [ "umac-128-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128@openssh.com" "hmac-sha2-256" "hmac-sha2-512" "umac-64-etm@openssh.com" "umac-64@openssh.com"]; | 130 | "aes256-ctr" |
| 86 | pubkeyAcceptedKeyTypes = [ "ssh-ed25519-cert-v01@openssh.com" "sk-ssh-ed25519-cert-v01@openssh.com" "rsa-sha2-512-cert-v01@openssh.com" "rsa-sha2-256-cert-v01@openssh.com" "ssh-ed25519" "ssh-rsa" ]; | 131 | ]; |
| 132 | macs = [ | ||
| 133 | "umac-128-etm@openssh.com" | ||
| 134 | "hmac-sha2-256-etm@openssh.com" | ||
| 135 | "hmac-sha2-512-etm@openssh.com" | ||
| 136 | "umac-128@openssh.com" | ||
| 137 | "hmac-sha2-256" | ||
| 138 | "hmac-sha2-512" | ||
| 139 | "umac-64-etm@openssh.com" | ||
| 140 | "umac-64@openssh.com" | ||
| 141 | ]; | ||
| 142 | kexAlgorithms = [ | ||
| 143 | "sntrup761x25519-sha512@openssh.com" | ||
| 144 | "curve25519-sha256" | ||
| 145 | "curve25519-sha256@libssh.org" | ||
| 146 | "diffie-hellman-group-exchange-sha256" | ||
| 147 | ]; | ||
| 148 | hostKeyAlgorithms = [ | ||
| 149 | "sk-ssh-ed25519-cert-v01@openssh.com" | ||
| 150 | "ssh-ed25519-cert-v01@openssh.com" | ||
| 151 | "rsa-sha2-256-cert-v01@openssh.com" | ||
| 152 | "rsa-sha2-512-cert-v01@openssh.com" | ||
| 153 | "sk-ssh-ed25519@openssh.com" | ||
| 154 | "ssh-ed25519" | ||
| 155 | "rsa-sha2-256" | ||
| 156 | "rsa-sha2-512" | ||
| 157 | ]; | ||
| 158 | pubkeyAcceptedKeyTypes = [ | ||
| 159 | "ssh-ed25519-cert-v01@openssh.com" | ||
| 160 | "sk-ssh-ed25519-cert-v01@openssh.com" | ||
| 161 | "rsa-sha2-512-cert-v01@openssh.com" | ||
| 162 | "rsa-sha2-256-cert-v01@openssh.com" | ||
| 163 | "ssh-ed25519" | ||
| 164 | "ssh-rsa" | ||
| 165 | ]; | ||
| 166 | |||
| 87 | extraConfig = '' | 167 | extraConfig = '' |
| 88 | Host * | 168 | Host * |
| 89 | CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512 | 169 | CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512 |