{ config, lib, ... }:

# For reference:
# https://infosec.mozilla.org/guidelines/openssh.html
# https://stribika.github.io/2015/01/04/secure-secure-shell.html

with lib;

mkIf (elem "openssh" config.machine.services) {
  services.openssh = {
    enable = true;
    kexAlgorithms = [ "curve25519-sha256@libssh.org" ];
    sftpFlags = [ "-f AUTHPRIV" "-l INFO" ];
    startWhenNeeded = true;
    challengeResponseAuthentication = false;
    passwordAuthentication = false;
    permitRootLogin = "no";
    extraConfig = ''
        UsePAM no
        AllowUsers derped git nix-ssh
        UsePrivilegeSeparation sandbox
        LogLevel VERBOSE
    '';
  };
}