From f646c091cc6a058df5ff38e061342f024c8e43df Mon Sep 17 00:00:00 2001
From: ashisgreat22 <dev@ashisgreat.xyz>
Date: Thu, 19 Mar 2026 00:05:12 +0100
Subject: [PATCH] Harden SSH and enable post-quantum key exchange
 (sntrup761x25519-sha512) for system and Forgejo

---
 configuration.nix   | 14 ++++++++++++++
 modules/forgejo.nix |  4 ++++
 2 files changed, 18 insertions(+)

diff --git a/configuration.nix b/configuration.nix
index 0826503..649816e 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -24,6 +24,20 @@
     settings = {
       PermitRootLogin = "no";
       PasswordAuthentication = false;
+      KexAlgorithms = [
+        "sntrup761x25519-sha512@openssh.com"
+        "curve25519-sha256"
+        "curve25519-sha256@libssh.org"
+      ];
+      Ciphers = [
+        "chacha20-poly1305@openssh.com"
+        "aes256-gcm@openssh.com"
+      ];
+      Macs = [
+        "hmac-sha2-512-etm@openssh.com"
+        "hmac-sha2-256-etm@openssh.com"
+        "umac-128-etm@openssh.com"
+      ];
     };
   };
 
diff --git a/modules/forgejo.nix b/modules/forgejo.nix
index 0a6e5cd..f8cf6f6 100644
--- a/modules/forgejo.nix
+++ b/modules/forgejo.nix
@@ -54,6 +54,10 @@ in
           SSH_PORT = 2222;
           START_SSH_SERVER = true;
           SSH_LISTEN_ADDR = "0.0.0.0";
+          # SSH Hardening
+          SSH_SERVER_KEY_EXCHANGES = "sntrup761x25519-sha512,curve25519-sha256,curve25519-sha256@libssh.org";
+          SSH_SERVER_CIPHERS = "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com";
+          SSH_SERVER_MACS = "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com";
         };
         service = {
           DISABLE_REGISTRATION = cfg.disableRegistration;