A fresh install includes "HostKey /etc/ssh/ssh_host_ed25519_key" in
sshd_config, but that runs afoul of FIPS mode, and an error is logged, as
that sort of key is not generated. While this is effectively cosmetic and
the user can elide the comment, for environments tracking their logs
diligently it's problematic.

What options exist for handling this? We don't have the ability as far as
I'm aware to deploy configuration dynamically based on the presence of
factors like FIPS being enabled, but that would be ideal. Would a post-
install script be a reasonable way to make sure the configuration installed
doesn't include directives incompatible with the operating environment?

I'd be willing to submit a patch to accomplish this, at least for this
specific case although perhaps with an eye towards a flexible set of
constraints, given some assurance that it has some chance of being
accepted. If there's a preferred path towards fixing this, however, I'd
be grateful to hear it.