1 files changed, 27 insertions, 6 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index 09ff58f7..cd7ec025 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -14,18 +14,39 @@
          type = "ed25519";
        }
      ];
+      ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];
+      macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];
+      kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
+      moduliFile = config.sops.secrets.ssh_moduli.path;
+    };
+    programs.ssh = {
+      ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];
+      hostKeyAlgorithms = [ "ssh-ed25519-cert-v01@openssh.com" "ssh-rsa-cert-v01@openssh.com" "ssh-ed25519" "ssh-rsa" ];
+      kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
+      macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];
+      pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" ];
+      extraConfig = ''
+        Host *
+          UseRoaming no
+      '';
    };
    sops.secrets = lib.mkIf config.services.openssh.enable {
      ssh_host_rsa_key = {
-          key = "rsa";
+        key = "rsa";
-          path = "/etc/ssh/ssh_host_rsa_key";
+        path = "/etc/ssh/ssh_host_rsa_key";
-          sopsFile = ./host-keys + "/${hostName}.yaml";
+        sopsFile = ./host-keys + "/${hostName}.yaml";
      };
      ssh_host_ed25519_key = {
-          key = "ed25519";
+        key = "ed25519";
-          path = "/etc/ssh/ssh_host_ed25519_key";
+        path = "/etc/ssh/ssh_host_ed25519_key";
-          sopsFile = ./host-keys + "/${hostName}.yaml";
+        sopsFile = ./host-keys + "/${hostName}.yaml";
+      };
+      ssh_moduli = {
+        format = "binary";
+        path = "/etc/ssh/moduli";
+        sopsFile = ./host-moduli + "/${hostName}";
      };
    };

diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 09ff58f7..cd7ec025 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix
@@ -14,18 +14,39 @@
14	type = "ed25519";	14	type = "ed25519";
15	}	15	}
16	];	16	];
		17	ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];
		18	macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];
		19	kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
		20	moduliFile = config.sops.secrets.ssh_moduli.path;
		21	};
		22
		23	programs.ssh = {
		24	ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];
		25	hostKeyAlgorithms = [ "ssh-ed25519-cert-v01@openssh.com" "ssh-rsa-cert-v01@openssh.com" "ssh-ed25519" "ssh-rsa" ];
		26	kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
		27	macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];
		28	pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" ];
		29	extraConfig = ''
		30	Host *
		31	UseRoaming no
		32	'';
17	};	33	};
18		34
19	sops.secrets = lib.mkIf config.services.openssh.enable {	35	sops.secrets = lib.mkIf config.services.openssh.enable {
20	ssh_host_rsa_key = {	36	ssh_host_rsa_key = {
21	key = "rsa";	37	key = "rsa";
22	path = "/etc/ssh/ssh_host_rsa_key";	38	path = "/etc/ssh/ssh_host_rsa_key";
23	sopsFile = ./host-keys + "/${hostName}.yaml";	39	sopsFile = ./host-keys + "/${hostName}.yaml";
24	};	40	};
25	ssh_host_ed25519_key = {	41	ssh_host_ed25519_key = {
26	key = "ed25519";	42	key = "ed25519";
27	path = "/etc/ssh/ssh_host_ed25519_key";	43	path = "/etc/ssh/ssh_host_ed25519_key";
28	sopsFile = ./host-keys + "/${hostName}.yaml";	44	sopsFile = ./host-keys + "/${hostName}.yaml";
		45	};
		46	ssh_moduli = {
		47	format = "binary";
		48	path = "/etc/ssh/moduli";
		49	sopsFile = ./host-moduli + "/${hostName}";
29	};	50	};
30	};	51	};
31		52