From 37292c1c8d2a7b3038fdad635372bbccd833e698 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Mon, 27 Feb 2023 15:08:09 +0100
Subject: ...

---
 system-profiles/openssh/default.nix | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

(limited to 'system-profiles/openssh/default.nix')

diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index 221dac3c..929a5bdd 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -17,21 +17,22 @@ in {
 
     services.openssh = mkIf cfg.enable {
       hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually
-      ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];
-      macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];
-      kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
+      settings = {
+        Ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];
+        Macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];
+        KexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
+        LogLevel = "VERBOSE";
+        HostKeyAlgorithms = [ "sk-ssh-ed25519-cert-v01@openssh.com" "ssh-ed25519-cert-v01@openssh.com" "rsa-sha2-256-cert-v01@openssh.com" "rsa-sha2-512-cert-v01@openssh.com" "sk-ssh-ed25519@openssh.com" "ssh-ed25519" "rsa-sha2-256" "rsa-sha2-512" ];
+        CASignatureAlgorithms = [ "sk-ssh-ed25519@openssh.com" "ssh-ed25519" "rsa-sha2-256" "rsa-sha2-512" ];
+        RevokedKeys = "/etc/ssh/krl.bin";
+      };
       moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path;
       extraConfig = ''
-        HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
-        CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
-
         ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_ed25519_key"}
         ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"}
         ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_rsa_key"}
         ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"}
-        RevokedKeys /etc/ssh/krl.bin
       '';
-      logLevel = "VERBOSE";
     };
 
     programs.ssh = {
-- 
cgit v1.2.3