idiosyn/modules/openssh.nix

{ lib, ...}:

let
  ciphers = [
    "chacha20-poly1305@openssh.com"
    "aes256-gcm@openssh.com"
    "aes128-gcm@openssh.com"
  ];

  sigAlgorithms = [
    "ssh-ed25519-cert-v01@openssh.com"
    "ssh-ed25519"
  ];

  kexAlgorithms = [
    "sntrup761x25519-sha512@openssh.com"
    "curve25519-sha256"
    "curve25519-sha256@libssh.org"
  ];

  macs = [
    "umac-128-etm@openssh.com"
    "hmac-sha2-512-etm@openssh.com"
    "hmac-sha2-256-etm@openssh.com"
  ];
in {
  programs.ssh = {
    ciphers = lib.mkDefault ciphers;
    kexAlgorithms = lib.mkDefault ciphers;
    macs = lib.mkDefault macs;
    hostKeyAlgorithms = lib.mkDefault sigAlgorithms;
    pubkeyAcceptedKeyTypes = lib.mkDefault sigAlgorithms;
    setXAuthLocation = lib.mkDefault false;
  };

  services.openssh = {
    settings = {
      PermitRootLogin = lib.mkDefault "no";

      PasswordAuthentication = lib.mkDefault false;
      KbdInteractiveAuthentication = lib.mkDefault false;
      AuthenticationMethods = lib.mkDefault "publickey";

      Ciphers = lib.mkDefault ciphers;
      Macs = lib.mkDefault macs;

      KexAlgorithms = lib.mkDefault kexAlgorithms;
      HostKeyAlgorithms = lib.mkDefault (lib.concatStringsSep "," sigAlgorithms);
      PubkeyAcceptedAlgorithms = lib.mkDefault (lib.concatStringsSep "," sigAlgorithms);

      # Remove stale Unix sockets when forwarding
      StreamLocalBindUnlink = lib.mkDefault true;

      ClientAliveInterval = lib.mkDefault 900;
    };
  };
}