|
12 | 12 | addPopularKnownHosts = libS.mkOpinionatedOption "add ssh public keys of popular websites to known_hosts"; |
13 | 13 | addHelpOnHostkeyMismatch = libS.mkOpinionatedOption "show a ssh-keygen command to remove mismatching ssh knownhosts entries"; |
14 | 14 | recommendedDefaults = libS.mkOpinionatedOption "set recommend and secure default settings"; |
| 15 | + |
| 16 | + package = lib.mkOption { |
| 17 | + apply = p: if cfgP.addHelpOnHostkeyMismatch then |
| 18 | + (p.overrideAttrs ({ patches, ... }: { |
| 19 | + patches = patches ++ [ |
| 20 | + (pkgs.fetchpatch { |
| 21 | + urls = |
| 22 | + let |
| 23 | + version = "1%259.9p1-1"; |
| 24 | + in |
| 25 | + [ |
| 26 | + "https://salsa.debian.org/ssh-team/openssh/-/raw/debian/${version}/debian/patches/mention-ssh-keygen-on-keychange.patch" |
| 27 | + ]; |
| 28 | + hash = "sha256-OZPOHwQkclUAjG3ShfYX66sbW2ahXPgsV6XNfzl9SIg="; |
| 29 | + }) |
| 30 | + ]; |
| 31 | + |
| 32 | + # takes to long and unstable requires openssh to work to advance |
| 33 | + doCheck = false; |
| 34 | + })) |
| 35 | + else |
| 36 | + p; |
| 37 | + }; |
15 | 38 | }; |
16 | 39 |
|
17 | 40 | services.openssh = { |
|
63 | 86 | (libS.mkPubKey "*.your-storagebox.de" "ssh-rsa" "AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==") |
64 | 87 | (libS.mkPubKey "*.your-storagebox.de" "ssh-ed25519" "AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs") |
65 | 88 | ]); |
66 | | - package = lib.mkIf cfgP.addHelpOnHostkeyMismatch (pkgs.openssh.overrideAttrs ({ patches, ... }: { |
67 | | - patches = patches ++ [ |
68 | | - (pkgs.fetchpatch { |
69 | | - urls = |
70 | | - let |
71 | | - version = "1%259.9p1-1"; |
72 | | - in |
73 | | - [ |
74 | | - "https://salsa.debian.org/ssh-team/openssh/-/raw/debian/${version}/debian/patches/mention-ssh-keygen-on-keychange.patch" |
75 | | - ]; |
76 | | - hash = "sha256-OZPOHwQkclUAjG3ShfYX66sbW2ahXPgsV6XNfzl9SIg="; |
77 | | - }) |
78 | | - ]; |
79 | | - |
80 | | - # takes to long and unstable requires openssh to work to advance |
81 | | - doCheck = false; |
82 | | - })); |
83 | 89 | }; |
84 | 90 |
|
85 | 91 | services.openssh = lib.mkIf cfgS.recommendedDefaults { |
86 | 92 | settings = { |
87 | | - # following ssh-audit: nixos default minus 2048 bit modules (diffie-hellman-group-exchange-sha256) |
| 93 | + # following ssh-audit: nixos default minus 2048 bit modules (diffie-hellman-group-exchange-sha256) and not post-quantum safe (curve25519-sha256) |
88 | 94 | KexAlgorithms = [ |
89 | 95 | "mlkem768x25519-sha256" |
90 | 96 | "sntrup761x25519-sha512" |
91 | 97 | |
92 | | - "curve25519-sha256" |
93 | | - |
94 | 98 | ]; |
95 | | - # following ssh-audit: nixos defaults minus encrypt-and-MAC |
| 99 | + # following ssh-audit: nixos defaults |
96 | 100 | Macs = [ |
97 | 101 | |
98 | 102 | |
|
0 commit comments