nixos/ssh: introduce enableRecommendedAlgorithms

[tomfitzhenry]

Prior to this commit, the default behaviour of services.openssh is to set the cryptographic algorithms to those recommended by Mozilla and a blog post.

This option allows users to easily opt-opt ouf of this recommendation and instead use upstream's defaults.

I'm also open to just dropping any overriding of upstream's defaults. In future I'll be exploring switching this default to false.

Description of changes

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[teto]

IMO we should just use upstream's. It's not our place to override those. I would enjoy a "hardened ssh" profile though that one could just import or at least take inspiration from.

[tomfitzhenry]

IMO we should just use upstream's. It's not our place to override those. I would enjoy a "hardened ssh" profile though that one could just import or at least take inspiration from.

Proposed in #316934.