From 89749d73a82bd0bfdfa225be06a6db8e82371ff4 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Mon, 20 Mar 2023 11:51:00 +0100
Subject: ...

---
 system-profiles/openssh/default.nix | 44 ++++++++++++++++++++++++++++++++-----
 1 file changed, 38 insertions(+), 6 deletions(-)

(limited to 'system-profiles/openssh')

diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index cc4ecdf0..8f0bd11b 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -8,7 +8,7 @@ in {
   options = {
     services.openssh.staticHostKeys = mkOption {
       type = types.bool;
-      default = true;
+      default = pathExists (./host-keys + "/${hostName}.yaml");
     };
   };
 
@@ -18,13 +18,45 @@ in {
     services.openssh = mkIf cfg.enable {
       hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually
       settings = {
-        Ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];
-        Macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];
-        KexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
+        Ciphers = [
+          "chacha20-poly1305@openssh.com"
+          "aes256-gcm@openssh.com"
+          "aes256-ctr"
+        ];
+        Macs = [
+          "hmac-sha2-256-etm@openssh.com"
+          "hmac-sha2-256"
+          "hmac-sha2-512-etm@openssh.com"
+          "hmac-sha2-512"
+        ];
+        KexAlgorithms = [
+          "sntrup761x25519-sha512@openssh.com"
+          "curve25519-sha256"
+          "curve25519-sha256@libssh.org"
+          "diffie-hellman-group-exchange-sha256"
+        ];
+        HostKeyAlgorithms = concatStringsSep "," [
+          "sk-ssh-ed25519-cert-v01@openssh.com"
+          "ssh-ed25519-cert-v01@openssh.com"
+          "rsa-sha2-256-cert-v01@openssh.com"
+          "rsa-sha2-512-cert-v01@openssh.com"
+          "sk-ssh-ed25519@openssh.com"
+          "ssh-ed25519"
+          "rsa-sha2-256"
+          "rsa-sha2-512"
+        ];
+        CASignatureAlgorithms = concatStringsSep "," [
+          "sk-ssh-ed25519@openssh.com"
+          "ssh-ed25519"
+          "rsa-sha2-256"
+          "rsa-sha2-512"
+        ];
+
         LogLevel = "VERBOSE";
-        HostKeyAlgorithms = "sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512";
-        CASignatureAlgorithms = "sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512";
         RevokedKeys = "/etc/ssh/krl.bin";
+
+        PasswordAuthentication = mkDefault false;
+        KbdInteractiveAuthentication = mkDefault false;
       };
       moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path;
       extraConfig = ''
-- 
cgit v1.2.3