SSH Hardening by enforcing high-quality encryption

hosts/micronix/default.nix

@@ -8,6 +8,7 @@
     ./ui.nix
     ./searxng.nix
     ./energy.nix
+    ./ssh.nix
   ];
 
   config = {

hosts/micronix/ssh.nix

@@ -0,0 +1,24 @@
+{...}: {
+  programs.ssh = {
+    startAgent = true;
+    enableAskPassword = true;
+    hostKeyAlgorithms = [
+      "ssh-ed25519"
+    ];
+    pubkeyAcceptedKeyTypes = [
+      "ssh-ed25519"
+    ];
+    kexAlgorithms = [
+      "sntrup761x25519-sha512@openssh.com"
+      "curve25519-sha256@libssh.org"
+    ];
+    ciphers = [
+      "chacha20-poly1305@openssh.com"
+      "aes256-gcm@openssh.com"
+    ];
+    macs = [
+      "hmac-sha2-512-etm@openssh.com"
+      "hmac-sha2-256-etm@openssh.com"
+    ];
+  };
+}

hosts/micronix/users.nix

@@ -147,9 +147,4 @@
       enable = true;
     };
   };
-
-  programs.ssh = {
-    enable = true;
-    startAgent = true;
-  };
 }