{ config, lib, ... }:

# For reference:
# https://infosec.mozilla.org/guidelines/openssh.html
# https://stribika.github.io/2015/01/04/secure-secure-shell.html

with lib;

mkIf (elem "openssh" config.machine.services) {
  services.openssh = {
    enable = true;
    kexAlgorithms = [ "curve25519-sha256@libssh.org" ];
    sftpFlags = [ "-f AUTHPRIV" "-l INFO" ];
    startWhenNeeded = true;
    challengeResponseAuthentication = false;
    passwordAuthentication = false;
    permitRootLogin = "no";
    extraConfig = let users = concatMapStrings (user: "${user.name} ") config.machine.administrators
      + (optionalString config.services.gitea.enable (config.services.gitea.user + " "));
    in  ''
        UsePAM no
        AllowUsers ${users}
        LogLevel VERBOSE
    '';
  };
}