summaryrefslogtreecommitdiff
path: root/system-profiles/openssh/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'system-profiles/openssh/default.nix')
-rw-r--r--system-profiles/openssh/default.nix102
1 files changed, 91 insertions, 11 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index 8f0bd11b..8960fbb0 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -6,9 +6,50 @@ let
6 cfg = config.services.openssh; 6 cfg = config.services.openssh;
7in { 7in {
8 options = { 8 options = {
9 services.openssh.staticHostKeys = mkOption { 9 services.openssh = {
10 type = types.bool; 10 staticHostKeys = mkOption {
11 default = pathExists (./host-keys + "/${hostName}.yaml"); 11 type = types.bool;
12 default = pathExists (./host-keys + "/${hostName}.yaml");
13 };
14 settings.HostKeyAlgorithms = mkOption {
15 type = types.listOf types.str;
16 default = [
17 "ssh-ed25519"
18 "ssh-ed25519-cert-v01@openssh.com"
19 "sk-ssh-ed25519@openssh.com"
20 "sk-ssh-ed25519-cert-v01@openssh.com"
21 "ecdsa-sha2-nistp256"
22 "ecdsa-sha2-nistp256-cert-v01@openssh.com"
23 "ecdsa-sha2-nistp384"
24 "ecdsa-sha2-nistp384-cert-v01@openssh.com"
25 "ecdsa-sha2-nistp521"
26 "ecdsa-sha2-nistp521-cert-v01@openssh.com"
27 "sk-ecdsa-sha2-nistp256@openssh.com"
28 "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com"
29 "webauthn-sk-ecdsa-sha2-nistp256@openssh.com"
30 "ssh-dss"
31 "ssh-dss-cert-v01@openssh.com"
32 "ssh-rsa"
33 "ssh-rsa-cert-v01@openssh.com"
34 "rsa-sha2-256"
35 "rsa-sha2-256-cert-v01@openssh.com"
36 "rsa-sha2-512"
37 "rsa-sha2-512-cert-v01@openssh.com"
38 ];
39 };
40 settings.CASignatureAlgorithms = mkOption {
41 type = types.listOf types.str;
42 default = [
43 "ssh-ed25519"
44 "ecdsa-sha2-nistp256"
45 "ecdsa-sha2-nistp384"
46 "ecdsa-sha2-nistp521"
47 "sk-ssh-ed25519@openssh.com"
48 "sk-ecdsa-sha2-nistp256@openssh.com"
49 "rsa-sha2-512"
50 "rsa-sha2-256"
51 ];
52 };
12 }; 53 };
13 }; 54 };
14 55
@@ -24,10 +65,14 @@ in {
24 "aes256-ctr" 65 "aes256-ctr"
25 ]; 66 ];
26 Macs = [ 67 Macs = [
68 "umac-128-etm@openssh.com"
27 "hmac-sha2-256-etm@openssh.com" 69 "hmac-sha2-256-etm@openssh.com"
28 "hmac-sha2-256"
29 "hmac-sha2-512-etm@openssh.com" 70 "hmac-sha2-512-etm@openssh.com"
71 "umac-128@openssh.com"
72 "hmac-sha2-256"
30 "hmac-sha2-512" 73 "hmac-sha2-512"
74 "umac-64-etm@openssh.com"
75 "umac-64@openssh.com"
31 ]; 76 ];
32 KexAlgorithms = [ 77 KexAlgorithms = [
33 "sntrup761x25519-sha512@openssh.com" 78 "sntrup761x25519-sha512@openssh.com"
@@ -35,7 +80,7 @@ in {
35 "curve25519-sha256@libssh.org" 80 "curve25519-sha256@libssh.org"
36 "diffie-hellman-group-exchange-sha256" 81 "diffie-hellman-group-exchange-sha256"
37 ]; 82 ];
38 HostKeyAlgorithms = concatStringsSep "," [ 83 HostKeyAlgorithms = [
39 "sk-ssh-ed25519-cert-v01@openssh.com" 84 "sk-ssh-ed25519-cert-v01@openssh.com"
40 "ssh-ed25519-cert-v01@openssh.com" 85 "ssh-ed25519-cert-v01@openssh.com"
41 "rsa-sha2-256-cert-v01@openssh.com" 86 "rsa-sha2-256-cert-v01@openssh.com"
@@ -45,7 +90,7 @@ in {
45 "rsa-sha2-256" 90 "rsa-sha2-256"
46 "rsa-sha2-512" 91 "rsa-sha2-512"
47 ]; 92 ];
48 CASignatureAlgorithms = concatStringsSep "," [ 93 CASignatureAlgorithms = [
49 "sk-ssh-ed25519@openssh.com" 94 "sk-ssh-ed25519@openssh.com"
50 "ssh-ed25519" 95 "ssh-ed25519"
51 "rsa-sha2-256" 96 "rsa-sha2-256"
@@ -79,11 +124,46 @@ in {
79 ./known-hosts/borgbase.keys 124 ./known-hosts/borgbase.keys
80 ]; 125 ];
81 126
82 ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ]; 127 ciphers = [
83 hostKeyAlgorithms = [ "sk-ssh-ed25519-cert-v01@openssh.com" "ssh-ed25519-cert-v01@openssh.com" "rsa-sha2-256-cert-v01@openssh.com" "rsa-sha2-512-cert-v01@openssh.com" "sk-ssh-ed25519@openssh.com" "ssh-ed25519" "rsa-sha2-256" "rsa-sha2-512" ]; 128 "chacha20-poly1305@openssh.com"
84 kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; 129 "aes256-gcm@openssh.com"
85 macs = [ "umac-128-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128@openssh.com" "hmac-sha2-256" "hmac-sha2-512" "umac-64-etm@openssh.com" "umac-64@openssh.com"]; 130 "aes256-ctr"
86 pubkeyAcceptedKeyTypes = [ "ssh-ed25519-cert-v01@openssh.com" "sk-ssh-ed25519-cert-v01@openssh.com" "rsa-sha2-512-cert-v01@openssh.com" "rsa-sha2-256-cert-v01@openssh.com" "ssh-ed25519" "ssh-rsa" ]; 131 ];
132 macs = [
133 "umac-128-etm@openssh.com"
134 "hmac-sha2-256-etm@openssh.com"
135 "hmac-sha2-512-etm@openssh.com"
136 "umac-128@openssh.com"
137 "hmac-sha2-256"
138 "hmac-sha2-512"
139 "umac-64-etm@openssh.com"
140 "umac-64@openssh.com"
141 ];
142 kexAlgorithms = [
143 "sntrup761x25519-sha512@openssh.com"
144 "curve25519-sha256"
145 "curve25519-sha256@libssh.org"
146 "diffie-hellman-group-exchange-sha256"
147 ];
148 hostKeyAlgorithms = [
149 "sk-ssh-ed25519-cert-v01@openssh.com"
150 "ssh-ed25519-cert-v01@openssh.com"
151 "rsa-sha2-256-cert-v01@openssh.com"
152 "rsa-sha2-512-cert-v01@openssh.com"
153 "sk-ssh-ed25519@openssh.com"
154 "ssh-ed25519"
155 "rsa-sha2-256"
156 "rsa-sha2-512"
157 ];
158 pubkeyAcceptedKeyTypes = [
159 "ssh-ed25519-cert-v01@openssh.com"
160 "sk-ssh-ed25519-cert-v01@openssh.com"
161 "rsa-sha2-512-cert-v01@openssh.com"
162 "rsa-sha2-256-cert-v01@openssh.com"
163 "ssh-ed25519"
164 "ssh-rsa"
165 ];
166
87 extraConfig = '' 167 extraConfig = ''
88 Host * 168 Host *
89 CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512 169 CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512