1 files changed, 79 insertions, 77 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index 8960fbb0..a989733f 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -4,6 +4,52 @@ with lib;
 let
  cfg = config.services.openssh;
+  Ciphers = [
+    "chacha20-poly1305@openssh.com"
+    "aes256-gcm@openssh.com"
+    "aes256-ctr"
+  ];
+  Macs = [
+    "umac-128-etm@openssh.com"
+    "hmac-sha2-256-etm@openssh.com"
+    "hmac-sha2-512-etm@openssh.com"
+    "umac-128@openssh.com"
+    "hmac-sha2-256"
+    "hmac-sha2-512"
+    "umac-64-etm@openssh.com"
+    "umac-64@openssh.com"
+  ];
+  KexAlgorithms = [
+    "sntrup761x25519-sha512@openssh.com"
+    "curve25519-sha256"
+    "curve25519-sha256@libssh.org"
+    "diffie-hellman-group-exchange-sha256"
+  ];
+  HostKeyAlgorithms = [
+    "sk-ssh-ed25519-cert-v01@openssh.com"
+    "ssh-ed25519-cert-v01@openssh.com"
+    "rsa-sha2-256-cert-v01@openssh.com"
+    "rsa-sha2-512-cert-v01@openssh.com"
+    "sk-ssh-ed25519@openssh.com"
+    "ssh-ed25519"
+    "rsa-sha2-256"
+    "rsa-sha2-512"
+  ];
+  CASignatureAlgorithms = [
+    "sk-ssh-ed25519@openssh.com"
+    "ssh-ed25519"
+    "rsa-sha2-256"
+    "rsa-sha2-512"
+  ];
+  PubkeyAcceptedAlgorithms = [
+    "ssh-ed25519-cert-v01@openssh.com"
+    "sk-ssh-ed25519-cert-v01@openssh.com"
+    "rsa-sha2-512-cert-v01@openssh.com"
+    "rsa-sha2-256-cert-v01@openssh.com"
+    "ssh-ed25519"
+    "ssh-rsa"
+  ];
 in {
  options = {
    services.openssh = {
@@ -50,6 +96,32 @@ in {
          "rsa-sha2-256"
        ];
      };
+      settings.PubkeyAcceptedAlgorithms = mkOption {
+        type = types.listOf types.str;
+        default = [
+          "ssh-ed25519"
+          "ssh-ed25519-cert-v01@openssh.com"
+          "sk-ssh-ed25519@openssh.com"
+          "sk-ssh-ed25519-cert-v01@openssh.com"
+          "ecdsa-sha2-nistp256"
+          "ecdsa-sha2-nistp256-cert-v01@openssh.com"
+          "ecdsa-sha2-nistp384"
+          "ecdsa-sha2-nistp384-cert-v01@openssh.com"
+          "ecdsa-sha2-nistp521"
+          "ecdsa-sha2-nistp521-cert-v01@openssh.com"
+          "sk-ecdsa-sha2-nistp256@openssh.com"
+          "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com"
+          "webauthn-sk-ecdsa-sha2-nistp256@openssh.com"
+          "ssh-dss"
+          "ssh-dss-cert-v01@openssh.com"
+          "ssh-rsa"
+          "ssh-rsa-cert-v01@openssh.com"
+          "rsa-sha2-256"
+          "rsa-sha2-256-cert-v01@openssh.com"
+          "rsa-sha2-512"
+          "rsa-sha2-512-cert-v01@openssh.com"
+        ];
+      };
    };
  };
@@ -59,43 +131,7 @@ in {
    services.openssh = mkIf cfg.enable {
      hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually
      settings = {
-        Ciphers = [
+        inherit Ciphers Macs KexAlgorithms HostKeyAlgorithms CASignatureAlgorithms PubKeyAcceptedAlgorithms;
-          "chacha20-poly1305@openssh.com"
-          "aes256-gcm@openssh.com"
-          "aes256-ctr"
-        ];
-        Macs = [
-          "umac-128-etm@openssh.com"
-          "hmac-sha2-256-etm@openssh.com"
-          "hmac-sha2-512-etm@openssh.com"
-          "umac-128@openssh.com"
-          "hmac-sha2-256"
-          "hmac-sha2-512"
-          "umac-64-etm@openssh.com"
-          "umac-64@openssh.com"
-        ];
-        KexAlgorithms = [
-          "sntrup761x25519-sha512@openssh.com"
-          "curve25519-sha256"
-          "curve25519-sha256@libssh.org"
-          "diffie-hellman-group-exchange-sha256"
-        ];
-        HostKeyAlgorithms = [
-          "sk-ssh-ed25519-cert-v01@openssh.com"
-          "ssh-ed25519-cert-v01@openssh.com"
-          "rsa-sha2-256-cert-v01@openssh.com"
-          "rsa-sha2-512-cert-v01@openssh.com"
-          "sk-ssh-ed25519@openssh.com"
-          "ssh-ed25519"
-          "rsa-sha2-256"
-          "rsa-sha2-512"
-        ];
-        CASignatureAlgorithms = [
-          "sk-ssh-ed25519@openssh.com"
-          "ssh-ed25519"
-          "rsa-sha2-256"
-          "rsa-sha2-512"
-        ];
        LogLevel = "VERBOSE";
        RevokedKeys = "/etc/ssh/krl.bin";
@@ -124,49 +160,15 @@ in {
        ./known-hosts/borgbase.keys
      ];
-      ciphers = [
+      ciphers = Ciphers;
-        "chacha20-poly1305@openssh.com"
+      macs = Macs;
-        "aes256-gcm@openssh.com"
+      kexAlgorithms = KexAlgorithms;
-        "aes256-ctr"
+      hostKeyAlgorithms = HostKeyAlgorithms;
-      ];
+      pubkeyAcceptedKeyTypes = PubKeyAcceptedAlgorithms;
-      macs = [
-        "umac-128-etm@openssh.com"
-        "hmac-sha2-256-etm@openssh.com"
-        "hmac-sha2-512-etm@openssh.com"
-        "umac-128@openssh.com"
-        "hmac-sha2-256"
-        "hmac-sha2-512"
-        "umac-64-etm@openssh.com"
-        "umac-64@openssh.com"
-      ];
-      kexAlgorithms = [
-        "sntrup761x25519-sha512@openssh.com"
-        "curve25519-sha256"
-        "curve25519-sha256@libssh.org"
-        "diffie-hellman-group-exchange-sha256"
-      ];
-      hostKeyAlgorithms = [
-        "sk-ssh-ed25519-cert-v01@openssh.com"
-        "ssh-ed25519-cert-v01@openssh.com"
-        "rsa-sha2-256-cert-v01@openssh.com"
-        "rsa-sha2-512-cert-v01@openssh.com"
-        "sk-ssh-ed25519@openssh.com"
-        "ssh-ed25519"
-        "rsa-sha2-256"
-        "rsa-sha2-512"
-      ];
-      pubkeyAcceptedKeyTypes = [
-        "ssh-ed25519-cert-v01@openssh.com"
-        "sk-ssh-ed25519-cert-v01@openssh.com"
-        "rsa-sha2-512-cert-v01@openssh.com"
-        "rsa-sha2-256-cert-v01@openssh.com"
-        "ssh-ed25519"
-        "ssh-rsa"
-      ];
      extraConfig = ''
        Host *
-          CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
+          CASignatureAlgorithms ${concatStringsSep "," CASignatureAlgorithms}
          PasswordAuthentication no
          KbdInteractiveAuthentication no
      '';