diff options
Diffstat (limited to 'system-profiles/openssh/default.nix')
-rw-r--r-- | system-profiles/openssh/default.nix | 102 |
1 files changed, 91 insertions, 11 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 8f0bd11b..8960fbb0 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix | |||
@@ -6,9 +6,50 @@ let | |||
6 | cfg = config.services.openssh; | 6 | cfg = config.services.openssh; |
7 | in { | 7 | in { |
8 | options = { | 8 | options = { |
9 | services.openssh.staticHostKeys = mkOption { | 9 | services.openssh = { |
10 | type = types.bool; | 10 | staticHostKeys = mkOption { |
11 | default = pathExists (./host-keys + "/${hostName}.yaml"); | 11 | type = types.bool; |
12 | default = pathExists (./host-keys + "/${hostName}.yaml"); | ||
13 | }; | ||
14 | settings.HostKeyAlgorithms = mkOption { | ||
15 | type = types.listOf types.str; | ||
16 | default = [ | ||
17 | "ssh-ed25519" | ||
18 | "ssh-ed25519-cert-v01@openssh.com" | ||
19 | "sk-ssh-ed25519@openssh.com" | ||
20 | "sk-ssh-ed25519-cert-v01@openssh.com" | ||
21 | "ecdsa-sha2-nistp256" | ||
22 | "ecdsa-sha2-nistp256-cert-v01@openssh.com" | ||
23 | "ecdsa-sha2-nistp384" | ||
24 | "ecdsa-sha2-nistp384-cert-v01@openssh.com" | ||
25 | "ecdsa-sha2-nistp521" | ||
26 | "ecdsa-sha2-nistp521-cert-v01@openssh.com" | ||
27 | "sk-ecdsa-sha2-nistp256@openssh.com" | ||
28 | "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" | ||
29 | "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" | ||
30 | "ssh-dss" | ||
31 | "ssh-dss-cert-v01@openssh.com" | ||
32 | "ssh-rsa" | ||
33 | "ssh-rsa-cert-v01@openssh.com" | ||
34 | "rsa-sha2-256" | ||
35 | "rsa-sha2-256-cert-v01@openssh.com" | ||
36 | "rsa-sha2-512" | ||
37 | "rsa-sha2-512-cert-v01@openssh.com" | ||
38 | ]; | ||
39 | }; | ||
40 | settings.CASignatureAlgorithms = mkOption { | ||
41 | type = types.listOf types.str; | ||
42 | default = [ | ||
43 | "ssh-ed25519" | ||
44 | "ecdsa-sha2-nistp256" | ||
45 | "ecdsa-sha2-nistp384" | ||
46 | "ecdsa-sha2-nistp521" | ||
47 | "sk-ssh-ed25519@openssh.com" | ||
48 | "sk-ecdsa-sha2-nistp256@openssh.com" | ||
49 | "rsa-sha2-512" | ||
50 | "rsa-sha2-256" | ||
51 | ]; | ||
52 | }; | ||
12 | }; | 53 | }; |
13 | }; | 54 | }; |
14 | 55 | ||
@@ -24,10 +65,14 @@ in { | |||
24 | "aes256-ctr" | 65 | "aes256-ctr" |
25 | ]; | 66 | ]; |
26 | Macs = [ | 67 | Macs = [ |
68 | "umac-128-etm@openssh.com" | ||
27 | "hmac-sha2-256-etm@openssh.com" | 69 | "hmac-sha2-256-etm@openssh.com" |
28 | "hmac-sha2-256" | ||
29 | "hmac-sha2-512-etm@openssh.com" | 70 | "hmac-sha2-512-etm@openssh.com" |
71 | "umac-128@openssh.com" | ||
72 | "hmac-sha2-256" | ||
30 | "hmac-sha2-512" | 73 | "hmac-sha2-512" |
74 | "umac-64-etm@openssh.com" | ||
75 | "umac-64@openssh.com" | ||
31 | ]; | 76 | ]; |
32 | KexAlgorithms = [ | 77 | KexAlgorithms = [ |
33 | "sntrup761x25519-sha512@openssh.com" | 78 | "sntrup761x25519-sha512@openssh.com" |
@@ -35,7 +80,7 @@ in { | |||
35 | "curve25519-sha256@libssh.org" | 80 | "curve25519-sha256@libssh.org" |
36 | "diffie-hellman-group-exchange-sha256" | 81 | "diffie-hellman-group-exchange-sha256" |
37 | ]; | 82 | ]; |
38 | HostKeyAlgorithms = concatStringsSep "," [ | 83 | HostKeyAlgorithms = [ |
39 | "sk-ssh-ed25519-cert-v01@openssh.com" | 84 | "sk-ssh-ed25519-cert-v01@openssh.com" |
40 | "ssh-ed25519-cert-v01@openssh.com" | 85 | "ssh-ed25519-cert-v01@openssh.com" |
41 | "rsa-sha2-256-cert-v01@openssh.com" | 86 | "rsa-sha2-256-cert-v01@openssh.com" |
@@ -45,7 +90,7 @@ in { | |||
45 | "rsa-sha2-256" | 90 | "rsa-sha2-256" |
46 | "rsa-sha2-512" | 91 | "rsa-sha2-512" |
47 | ]; | 92 | ]; |
48 | CASignatureAlgorithms = concatStringsSep "," [ | 93 | CASignatureAlgorithms = [ |
49 | "sk-ssh-ed25519@openssh.com" | 94 | "sk-ssh-ed25519@openssh.com" |
50 | "ssh-ed25519" | 95 | "ssh-ed25519" |
51 | "rsa-sha2-256" | 96 | "rsa-sha2-256" |
@@ -79,11 +124,46 @@ in { | |||
79 | ./known-hosts/borgbase.keys | 124 | ./known-hosts/borgbase.keys |
80 | ]; | 125 | ]; |
81 | 126 | ||
82 | ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ]; | 127 | ciphers = [ |
83 | hostKeyAlgorithms = [ "sk-ssh-ed25519-cert-v01@openssh.com" "ssh-ed25519-cert-v01@openssh.com" "rsa-sha2-256-cert-v01@openssh.com" "rsa-sha2-512-cert-v01@openssh.com" "sk-ssh-ed25519@openssh.com" "ssh-ed25519" "rsa-sha2-256" "rsa-sha2-512" ]; | 128 | "chacha20-poly1305@openssh.com" |
84 | kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; | 129 | "aes256-gcm@openssh.com" |
85 | macs = [ "umac-128-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128@openssh.com" "hmac-sha2-256" "hmac-sha2-512" "umac-64-etm@openssh.com" "umac-64@openssh.com"]; | 130 | "aes256-ctr" |
86 | pubkeyAcceptedKeyTypes = [ "ssh-ed25519-cert-v01@openssh.com" "sk-ssh-ed25519-cert-v01@openssh.com" "rsa-sha2-512-cert-v01@openssh.com" "rsa-sha2-256-cert-v01@openssh.com" "ssh-ed25519" "ssh-rsa" ]; | 131 | ]; |
132 | macs = [ | ||
133 | "umac-128-etm@openssh.com" | ||
134 | "hmac-sha2-256-etm@openssh.com" | ||
135 | "hmac-sha2-512-etm@openssh.com" | ||
136 | "umac-128@openssh.com" | ||
137 | "hmac-sha2-256" | ||
138 | "hmac-sha2-512" | ||
139 | "umac-64-etm@openssh.com" | ||
140 | "umac-64@openssh.com" | ||
141 | ]; | ||
142 | kexAlgorithms = [ | ||
143 | "sntrup761x25519-sha512@openssh.com" | ||
144 | "curve25519-sha256" | ||
145 | "curve25519-sha256@libssh.org" | ||
146 | "diffie-hellman-group-exchange-sha256" | ||
147 | ]; | ||
148 | hostKeyAlgorithms = [ | ||
149 | "sk-ssh-ed25519-cert-v01@openssh.com" | ||
150 | "ssh-ed25519-cert-v01@openssh.com" | ||
151 | "rsa-sha2-256-cert-v01@openssh.com" | ||
152 | "rsa-sha2-512-cert-v01@openssh.com" | ||
153 | "sk-ssh-ed25519@openssh.com" | ||
154 | "ssh-ed25519" | ||
155 | "rsa-sha2-256" | ||
156 | "rsa-sha2-512" | ||
157 | ]; | ||
158 | pubkeyAcceptedKeyTypes = [ | ||
159 | "ssh-ed25519-cert-v01@openssh.com" | ||
160 | "sk-ssh-ed25519-cert-v01@openssh.com" | ||
161 | "rsa-sha2-512-cert-v01@openssh.com" | ||
162 | "rsa-sha2-256-cert-v01@openssh.com" | ||
163 | "ssh-ed25519" | ||
164 | "ssh-rsa" | ||
165 | ]; | ||
166 | |||
87 | extraConfig = '' | 167 | extraConfig = '' |
88 | Host * | 168 | Host * |
89 | CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512 | 169 | CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512 |