hosts/common/ssh: Add cipher/mac/kex configurations

hosts/common/ssh.nix

@@ -4,6 +4,27 @@
     permitRootLogin = "prohibit-password";
     passwordAuthentication = false;
     kbdInteractiveAuthentication = false;
+    ciphers = [
+      "chacha20-poly1305@openssh.com"
+      "aes256-gcm@openssh.com"
+      "aes128-gcm@openssh.com"
+      "aes256-ctr"
+      "aes192-ctr"
+      "aes128-ctr"
+    ];
+    macs = [
+      "hmac-sha2-512-etm@openssh.com"
+      "hmac-sha2-256-etm@openssh.com"
+      "umac-128-etm@openssh.com"
+    ];
+    kexAlgorithms = [
+      # Experimental, disabled for now.
+      # "sntrup761x25519-sha512@openssh.com"
+      "curve25519-sha256"
+      "curve25519-sha256@libssh.org"
+      # Disabled for being 2048-bit
+      # "diffie-hellman-group-exchange-sha256"
+    ];
   };
   networking.firewall.allowedTCPPorts = [22];
 }