From fcc27711cde94f90f035dd7c2861cabd655d9895 Mon Sep 17 00:00:00 2001
From: The Hedgehog <me@thehedgehog.me>
Date: Tue, 30 Aug 2022 13:54:25 -0400
Subject: [PATCH] hosts/common/ssh: Add cipher/mac/kex configurations

---
 hosts/common/ssh.nix | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/hosts/common/ssh.nix b/hosts/common/ssh.nix
index fa813b1..6b7607f 100644
--- a/hosts/common/ssh.nix
+++ b/hosts/common/ssh.nix
@@ -4,6 +4,27 @@
     permitRootLogin = "prohibit-password";
     passwordAuthentication = false;
     kbdInteractiveAuthentication = false;
+    ciphers = [
+      "chacha20-poly1305@openssh.com"
+      "aes256-gcm@openssh.com"
+      "aes128-gcm@openssh.com"
+      "aes256-ctr"
+      "aes192-ctr"
+      "aes128-ctr"
+    ];
+    macs = [
+      "hmac-sha2-512-etm@openssh.com"
+      "hmac-sha2-256-etm@openssh.com"
+      "umac-128-etm@openssh.com"
+    ];
+    kexAlgorithms = [
+      # Experimental, disabled for now.
+      # "sntrup761x25519-sha512@openssh.com"
+      "curve25519-sha256"
+      "curve25519-sha256@libssh.org"
+      # Disabled for being 2048-bit
+      # "diffie-hellman-group-exchange-sha256"
+    ];
   };
   networking.firewall.allowedTCPPorts = [22];
 }