backup: accept older public key algorithms (#482)

mail.ams1.psf.io is using ssh-rsa still, which isn't ideal

but until it is upgraded we need to accept this algorithm

Author: ewdurbin

salt/backup/server/init.sls

@@ -2,6 +2,15 @@
 include:
   - backup.base
 
+{# TODO: When we have retired distros older than 20.04, remove this #}
+/etc/ssh/ssh_config.d/pubkey.conf:
+  file.managed:
+    - contents: |
+        PubkeyAcceptedAlgorithms +ssh-rsa
+    - user: root
+    - group: root
+    - mode: "0644"
+
 {% for backup, config in salt['pillar.get']('backup-server:backups', {}).items() %}
 
 {{ backup }}-user:

salt/ssh/configs/sshd_config.jinja

@@ -1,6 +1,11 @@
 # Basic configuration
 # ===================
 
+# Include sshd_config.d dir for distros that use it
+{% if grains["oscodename"] in ["jammy", "noble"] %}
+Include /etc/ssh/sshd_config.d/*.conf
+{% endif %}
+
 # Either disable or only allow root login via certificates.
 {% if salt["pillar.get"]("ssh:allow_root_with_key", False) %}
 PermitRootLogin without-password