{ lib, ... }:

with lib;

{
  options = {
    services.openssh = {
      settings.HostKeyAlgorithms = mkOption {
        type = types.str;
        default = concatStringsSep "," [
          "ssh-ed25519"
          "ssh-ed25519-cert-v01@openssh.com"
          "sk-ssh-ed25519@openssh.com"
          "sk-ssh-ed25519-cert-v01@openssh.com"
          "ecdsa-sha2-nistp256"
          "ecdsa-sha2-nistp256-cert-v01@openssh.com"
          "ecdsa-sha2-nistp384"
          "ecdsa-sha2-nistp384-cert-v01@openssh.com"
          "ecdsa-sha2-nistp521"
          "ecdsa-sha2-nistp521-cert-v01@openssh.com"
          "sk-ecdsa-sha2-nistp256@openssh.com"
          "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com"
          "webauthn-sk-ecdsa-sha2-nistp256@openssh.com"
          "ssh-dss"
          "ssh-dss-cert-v01@openssh.com"
          "ssh-rsa"
          "ssh-rsa-cert-v01@openssh.com"
          "rsa-sha2-256"
          "rsa-sha2-256-cert-v01@openssh.com"
          "rsa-sha2-512"
          "rsa-sha2-512-cert-v01@openssh.com"
        ];
        description = "HostKeyAlgorithms";
      };
      settings.CASignatureAlgorithms = mkOption {
        type = types.str;
        default = concatStringsSep "," [
          "ssh-ed25519"
          "ecdsa-sha2-nistp256"
          "ecdsa-sha2-nistp384"
          "ecdsa-sha2-nistp521"
          "sk-ssh-ed25519@openssh.com"
          "sk-ecdsa-sha2-nistp256@openssh.com"
          "rsa-sha2-512"
          "rsa-sha2-256"
        ];
        description = "CASignatureAlgorithms";
      };
      settings.PubkeyAcceptedAlgorithms = mkOption {
        type = types.str;
        default = concatStringsSep "," [
          "ssh-ed25519"
          "ssh-ed25519-cert-v01@openssh.com"
          "sk-ssh-ed25519@openssh.com"
          "sk-ssh-ed25519-cert-v01@openssh.com"
          "ecdsa-sha2-nistp256"
          "ecdsa-sha2-nistp256-cert-v01@openssh.com"
          "ecdsa-sha2-nistp384"
          "ecdsa-sha2-nistp384-cert-v01@openssh.com"
          "ecdsa-sha2-nistp521"
          "ecdsa-sha2-nistp521-cert-v01@openssh.com"
          "sk-ecdsa-sha2-nistp256@openssh.com"
          "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com"
          "webauthn-sk-ecdsa-sha2-nistp256@openssh.com"
          "ssh-dss"
          "ssh-dss-cert-v01@openssh.com"
          "ssh-rsa"
          "ssh-rsa-cert-v01@openssh.com"
          "rsa-sha2-256"
          "rsa-sha2-256-cert-v01@openssh.com"
          "rsa-sha2-512"
          "rsa-sha2-512-cert-v01@openssh.com"
        ];
        description = "PubkeyAcceptedAlgorithms";
      };
    };
  };
}