From 34f476d40e178ce082c4ac0aa2e86116fa7fb5d8 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Mon, 20 Mar 2023 12:12:19 +0100
Subject: ...

---
 modules/openssh.nix                 | 75 +++++++++++++++++++++++++++++++++++++
 system-profiles/openssh/default.nix | 65 --------------------------------
 2 files changed, 75 insertions(+), 65 deletions(-)
 create mode 100644 modules/openssh.nix

diff --git a/modules/openssh.nix b/modules/openssh.nix
new file mode 100644
index 00000000..0ac2d2c6
--- /dev/null
+++ b/modules/openssh.nix
@@ -0,0 +1,75 @@
+{ ... }:
+
+with lib;
+
+{
+  options = {
+    services.openssh = {
+      settings.HostKeyAlgorithms = mkOption {
+        type = types.listOf types.str;
+        default = [
+          "ssh-ed25519"
+          "ssh-ed25519-cert-v01@openssh.com"
+          "sk-ssh-ed25519@openssh.com"
+          "sk-ssh-ed25519-cert-v01@openssh.com"
+          "ecdsa-sha2-nistp256"
+          "ecdsa-sha2-nistp256-cert-v01@openssh.com"
+          "ecdsa-sha2-nistp384"
+          "ecdsa-sha2-nistp384-cert-v01@openssh.com"
+          "ecdsa-sha2-nistp521"
+          "ecdsa-sha2-nistp521-cert-v01@openssh.com"
+          "sk-ecdsa-sha2-nistp256@openssh.com"
+          "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com"
+          "webauthn-sk-ecdsa-sha2-nistp256@openssh.com"
+          "ssh-dss"
+          "ssh-dss-cert-v01@openssh.com"
+          "ssh-rsa"
+          "ssh-rsa-cert-v01@openssh.com"
+          "rsa-sha2-256"
+          "rsa-sha2-256-cert-v01@openssh.com"
+          "rsa-sha2-512"
+          "rsa-sha2-512-cert-v01@openssh.com"
+        ];
+      };
+      settings.CASignatureAlgorithms = mkOption {
+        type = types.listOf types.str;
+        default = [
+          "ssh-ed25519"
+          "ecdsa-sha2-nistp256"
+          "ecdsa-sha2-nistp384"
+          "ecdsa-sha2-nistp521"
+          "sk-ssh-ed25519@openssh.com"
+          "sk-ecdsa-sha2-nistp256@openssh.com"
+          "rsa-sha2-512"
+          "rsa-sha2-256"
+        ];
+      };
+      settings.PubkeyAcceptedAlgorithms = mkOption {
+        type = types.listOf types.str;
+        default = [
+          "ssh-ed25519"
+          "ssh-ed25519-cert-v01@openssh.com"
+          "sk-ssh-ed25519@openssh.com"
+          "sk-ssh-ed25519-cert-v01@openssh.com"
+          "ecdsa-sha2-nistp256"
+          "ecdsa-sha2-nistp256-cert-v01@openssh.com"
+          "ecdsa-sha2-nistp384"
+          "ecdsa-sha2-nistp384-cert-v01@openssh.com"
+          "ecdsa-sha2-nistp521"
+          "ecdsa-sha2-nistp521-cert-v01@openssh.com"
+          "sk-ecdsa-sha2-nistp256@openssh.com"
+          "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com"
+          "webauthn-sk-ecdsa-sha2-nistp256@openssh.com"
+          "ssh-dss"
+          "ssh-dss-cert-v01@openssh.com"
+          "ssh-rsa"
+          "ssh-rsa-cert-v01@openssh.com"
+          "rsa-sha2-256"
+          "rsa-sha2-256-cert-v01@openssh.com"
+          "rsa-sha2-512"
+          "rsa-sha2-512-cert-v01@openssh.com"
+        ];
+      };
+    };
+  };
+}
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index df272f04..af4fb4ee 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -57,71 +57,6 @@ in {
         type = types.bool;
         default = pathExists (./host-keys + "/${hostName}.yaml");
       };
-      settings.HostKeyAlgorithms = mkOption {
-        type = types.listOf types.str;
-        default = [
-          "ssh-ed25519"
-          "ssh-ed25519-cert-v01@openssh.com"
-          "sk-ssh-ed25519@openssh.com"
-          "sk-ssh-ed25519-cert-v01@openssh.com"
-          "ecdsa-sha2-nistp256"
-          "ecdsa-sha2-nistp256-cert-v01@openssh.com"
-          "ecdsa-sha2-nistp384"
-          "ecdsa-sha2-nistp384-cert-v01@openssh.com"
-          "ecdsa-sha2-nistp521"
-          "ecdsa-sha2-nistp521-cert-v01@openssh.com"
-          "sk-ecdsa-sha2-nistp256@openssh.com"
-          "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com"
-          "webauthn-sk-ecdsa-sha2-nistp256@openssh.com"
-          "ssh-dss"
-          "ssh-dss-cert-v01@openssh.com"
-          "ssh-rsa"
-          "ssh-rsa-cert-v01@openssh.com"
-          "rsa-sha2-256"
-          "rsa-sha2-256-cert-v01@openssh.com"
-          "rsa-sha2-512"
-          "rsa-sha2-512-cert-v01@openssh.com"
-        ];
-      };
-      settings.CASignatureAlgorithms = mkOption {
-        type = types.listOf types.str;
-        default = [
-          "ssh-ed25519"
-          "ecdsa-sha2-nistp256"
-          "ecdsa-sha2-nistp384"
-          "ecdsa-sha2-nistp521"
-          "sk-ssh-ed25519@openssh.com"
-          "sk-ecdsa-sha2-nistp256@openssh.com"
-          "rsa-sha2-512"
-          "rsa-sha2-256"
-        ];
-      };
-      settings.PubkeyAcceptedAlgorithms = mkOption {
-        type = types.listOf types.str;
-        default = [
-          "ssh-ed25519"
-          "ssh-ed25519-cert-v01@openssh.com"
-          "sk-ssh-ed25519@openssh.com"
-          "sk-ssh-ed25519-cert-v01@openssh.com"
-          "ecdsa-sha2-nistp256"
-          "ecdsa-sha2-nistp256-cert-v01@openssh.com"
-          "ecdsa-sha2-nistp384"
-          "ecdsa-sha2-nistp384-cert-v01@openssh.com"
-          "ecdsa-sha2-nistp521"
-          "ecdsa-sha2-nistp521-cert-v01@openssh.com"
-          "sk-ecdsa-sha2-nistp256@openssh.com"
-          "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com"
-          "webauthn-sk-ecdsa-sha2-nistp256@openssh.com"
-          "ssh-dss"
-          "ssh-dss-cert-v01@openssh.com"
-          "ssh-rsa"
-          "ssh-rsa-cert-v01@openssh.com"
-          "rsa-sha2-256"
-          "rsa-sha2-256-cert-v01@openssh.com"
-          "rsa-sha2-512"
-          "rsa-sha2-512-cert-v01@openssh.com"
-        ];
-      };
     };
   };
 
-- 
cgit v1.2.3