From 3ff0741686da57494c8ca221c9f32dc9461c25fa Mon Sep 17 00:00:00 2001
From: LucasFA <23667494+LucasFA@users.noreply.github.com>
Date: Thu, 30 Oct 2025 18:11:12 +0100
Subject: [PATCH] nixos/common: update KexAlgorithms selection

sshd determines order of preference from the list of acceptable algos in KexAlgorithms by the order of the items, so sort by security properties or as per upstream openSSH ordering

Add new post-quantum secure algorithms
---
 nixos/common/openssh.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/nixos/common/openssh.nix b/nixos/common/openssh.nix
index 9f35b39f..0fcc19ee 100644
--- a/nixos/common/openssh.nix
+++ b/nixos/common/openssh.nix
@@ -11,11 +11,13 @@
 
     # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
     settings.KexAlgorithms = [
+      "mlkem768x25519-sha256"
+      "sntrup761x25519-sha512"
+      "sntrup761x25519-sha512@openssh.com"
       "curve25519-sha256"
       "curve25519-sha256@libssh.org"
       "diffie-hellman-group16-sha512"
       "diffie-hellman-group18-sha512"
-      "sntrup761x25519-sha512@openssh.com"
     ];
     # Only allow system-level authorized_keys to avoid injections.
     # We currently don't enable this when git-based software that relies on this is enabled.