From 2906243c996f5f925ca1f5404383d60a3b8b1a46 Mon Sep 17 00:00:00 2001
From: xmm16 <dev@fault.wtf>
Date: Wed, 18 Dec 2024 18:33:11 -0300
Subject: [PATCH] SSH Hardening by enforcing high-quality encryption

---
 hosts/micronix/default.nix |  1 +
 hosts/micronix/ssh.nix     | 24 ++++++++++++++++++++++++
 hosts/micronix/users.nix   |  5 -----
 3 files changed, 25 insertions(+), 5 deletions(-)
 create mode 100644 hosts/micronix/ssh.nix

diff --git a/hosts/micronix/default.nix b/hosts/micronix/default.nix
index 3abbf0b..8d28420 100644
--- a/hosts/micronix/default.nix
+++ b/hosts/micronix/default.nix
@@ -8,6 +8,7 @@
     ./ui.nix
     ./searxng.nix
     ./energy.nix
+    ./ssh.nix
   ];
 
   config = {
diff --git a/hosts/micronix/ssh.nix b/hosts/micronix/ssh.nix
new file mode 100644
index 0000000..0a5893c
--- /dev/null
+++ b/hosts/micronix/ssh.nix
@@ -0,0 +1,24 @@
+{...}: {
+  programs.ssh = {
+    startAgent = true;
+    enableAskPassword = true;
+    hostKeyAlgorithms = [
+      "ssh-ed25519"
+    ];
+    pubkeyAcceptedKeyTypes = [
+      "ssh-ed25519"
+    ];
+    kexAlgorithms = [
+      "sntrup761x25519-sha512@openssh.com"
+      "curve25519-sha256@libssh.org"
+    ];
+    ciphers = [
+      "chacha20-poly1305@openssh.com"
+      "aes256-gcm@openssh.com"
+    ];
+    macs = [
+      "hmac-sha2-512-etm@openssh.com"
+      "hmac-sha2-256-etm@openssh.com"
+    ];
+  };
+}
diff --git a/hosts/micronix/users.nix b/hosts/micronix/users.nix
index 694c386..9c69c65 100644
--- a/hosts/micronix/users.nix
+++ b/hosts/micronix/users.nix
@@ -147,9 +147,4 @@
       enable = true;
     };
   };
-
-  programs.ssh = {
-    enable = true;
-    startAgent = true;
-  };
 }