From 0e6504c54bddefb27a666e1e76f7d53b8e5786c1 Mon Sep 17 00:00:00 2001
From: Daniel Langbein <daniel@systemli.org>
Date: Sat, 28 Sep 2024 22:20:48 +0200
Subject: [PATCH] ssh config

---
 modules/ssh-server.nix | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/modules/ssh-server.nix b/modules/ssh-server.nix
index fcdbab4..c53ecd0 100644
--- a/modules/ssh-server.nix
+++ b/modules/ssh-server.nix
@@ -14,10 +14,23 @@
         then [2226]
       else throw "Please add ssh port here"
     );
-    # Use authorized keys only.
-    settings.PasswordAuthentication = false;
+
     # Enabling this is required for commands such as sftp and sshfs.
     allowSFTP = false;
+
+    settings = {
+      # Use authorized keys only.
+      PasswordAuthentication = false;
+
+      #
+      # https://infosec.mozilla.org/guidelines/openssh
+      #
+      Macs = ["hmac-sha2-512-etm@openssh.com"];
+      Ciphers = ["chacha20-poly1305@openssh.com"];
+      # TODO Use 25519 instead of RSA key pairs
+      #KexAlgorithms = ["curve25519-sha256@libssh.org"];
+    };
+
   };
 
   # TODO replace authorizedKeys in all .nix files with authorizedKeyFiles