{ lib, ... }: with lib; { options = { services.openssh = { settings.HostKeyAlgorithms = mkOption { type = types.str; default = concatStringsSep "," [ "ssh-ed25519" "ssh-ed25519-cert-v01@openssh.com" "sk-ssh-ed25519@openssh.com" "sk-ssh-ed25519-cert-v01@openssh.com" "ecdsa-sha2-nistp256" "ecdsa-sha2-nistp256-cert-v01@openssh.com" "ecdsa-sha2-nistp384" "ecdsa-sha2-nistp384-cert-v01@openssh.com" "ecdsa-sha2-nistp521" "ecdsa-sha2-nistp521-cert-v01@openssh.com" "sk-ecdsa-sha2-nistp256@openssh.com" "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" "ssh-dss" "ssh-dss-cert-v01@openssh.com" "ssh-rsa" "ssh-rsa-cert-v01@openssh.com" "rsa-sha2-256" "rsa-sha2-256-cert-v01@openssh.com" "rsa-sha2-512" "rsa-sha2-512-cert-v01@openssh.com" ]; }; settings.CASignatureAlgorithms = mkOption { type = types.str; default = concatStringsSep "," [ "ssh-ed25519" "ecdsa-sha2-nistp256" "ecdsa-sha2-nistp384" "ecdsa-sha2-nistp521" "sk-ssh-ed25519@openssh.com" "sk-ecdsa-sha2-nistp256@openssh.com" "rsa-sha2-512" "rsa-sha2-256" ]; }; settings.PubkeyAcceptedAlgorithms = mkOption { type = types.str; default = concatStringsSep "," [ "ssh-ed25519" "ssh-ed25519-cert-v01@openssh.com" "sk-ssh-ed25519@openssh.com" "sk-ssh-ed25519-cert-v01@openssh.com" "ecdsa-sha2-nistp256" "ecdsa-sha2-nistp256-cert-v01@openssh.com" "ecdsa-sha2-nistp384" "ecdsa-sha2-nistp384-cert-v01@openssh.com" "ecdsa-sha2-nistp521" "ecdsa-sha2-nistp521-cert-v01@openssh.com" "sk-ecdsa-sha2-nistp256@openssh.com" "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" "ssh-dss" "ssh-dss-cert-v01@openssh.com" "ssh-rsa" "ssh-rsa-cert-v01@openssh.com" "rsa-sha2-256" "rsa-sha2-256-cert-v01@openssh.com" "rsa-sha2-512" "rsa-sha2-512-cert-v01@openssh.com" ]; }; }; }; }