From ad64649a4accf302db58590eb469dd6b9c5ac3ec Mon Sep 17 00:00:00 2001
From: Tristan Druyen <tristan@vault81.de>
Date: Mon, 5 Aug 2024 16:31:22 +0200
Subject: [PATCH] Lock down ssh kex

---
 os-mods/common/default.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/os-mods/common/default.nix b/os-mods/common/default.nix
index a79b49a..61eefa1 100644
--- a/os-mods/common/default.nix
+++ b/os-mods/common/default.nix
@@ -159,6 +159,11 @@ in
       # enableSSHSupport = true; # breaks gitea foo
       pinentryPackage = lib.mkForce pkgs.pinentry-qt;
     };
+    ssh = {
+      kexAlgorithms = [
+        "sntrup761x25519-sha512@openssh.com"
+      ];
+    };
   };
 
   services = {
@@ -175,6 +180,9 @@ in
         PasswordAuthentication = false;
         KbdInteractiveAuthentication = false;
         PubKeyAuthentication = true;
+        KexAlgorithms = [
+          "sntrup761x25519-sha512@openssh.com"
+        ];
       };
       extraConfig = ''
         AllowTcpForwarding yes