diff --git a/nixos/components/network/default.nix b/nixos/components/network/default.nix
new file mode 100644
index 0000000..f682473
--- /dev/null
+++ b/nixos/components/network/default.nix
@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./sshd
+  ];
+}
diff --git a/nixos/components/network/sshd/default.nix b/nixos/components/network/sshd/default.nix
new file mode 100644
index 0000000..cc61d0b
--- /dev/null
+++ b/nixos/components/network/sshd/default.nix
@@ -0,0 +1,84 @@
+{ pkgs, config, lib, ... }:
+
+with lib;
+with types;
+
+let
+  cfg = config.component.network.sshd;
+  defaultRootKeyFiles = [ (toString ../../../assets/ssh/palo_rsa.pub) ];
+in
+{
+
+  imports = [
+    ./known-hosts-bootup.nix
+    ./known-hosts-private.nix
+    ./known-hosts-public.nix
+  ];
+
+  options.component.network.sshd = {
+    enable = mkOption {
+      type = bool;
+      default = true;
+      description = "add ssh tools";
+    };
+    rootKeyFiles = mkOption {
+      type = with types; listOf path;
+      default = [ ];
+      description = "keys to root login";
+    };
+    tools.enable = mkOption {
+      type = bool;
+      default = true;
+      description = "add ssh tools";
+    };
+    onlyTincAccess = mkOption {
+      type = bool;
+      default = false;
+      description = ''
+        make sure ssh is only available trough the tinc
+      '';
+    };
+  };
+
+  config = mkMerge [
+
+    (mkIf cfg.tools.enable {
+      environment.systemPackages = [ pkgs.sshfs ];
+    })
+
+    (mkIf cfg.enable {
+
+      services.openssh = {
+        enable = true;
+        forwardX11 = false;
+        passwordAuthentication = false;
+      };
+
+      users.users.root.openssh.authorizedKeys.keyFiles =
+        cfg.rootKeyFiles ++ defaultRootKeyFiles;
+
+      services.openssh.extraConfig = ''
+        Banner /etc/ssh/banner-line
+      '';
+
+      environment.etc."ssh/banner-line".text =
+        let
+          text = config.networking.hostName;
+          size = 80 - (lib.stringLength text);
+          space = lib.fixedWidthString size " " "";
+        in
+        ''
+          ────────────────────────────────────────────────────────────────────────────────
+          ${space}${text}
+        '';
+
+    })
+
+    (mkIf (cfg.onlyTincAccess && cfg.enable) {
+      networking.firewall.extraCommands = ''
+        iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
+      '';
+    })
+  ];
+
+}
diff --git a/nixos/system/all/sshd-known-hosts-bootup.nix b/nixos/components/network/sshd/known-hosts-bootup.nix
similarity index 100%
rename from nixos/system/all/sshd-known-hosts-bootup.nix
rename to nixos/components/network/sshd/known-hosts-bootup.nix
diff --git a/nixos/system/all/sshd-known-hosts-private.nix b/nixos/components/network/sshd/known-hosts-private.nix
similarity index 100%
rename from nixos/system/all/sshd-known-hosts-private.nix
rename to nixos/components/network/sshd/known-hosts-private.nix
diff --git a/nixos/system/all/sshd-known-hosts-public.nix b/nixos/components/network/sshd/known-hosts-public.nix
similarity index 100%
rename from nixos/system/all/sshd-known-hosts-public.nix
rename to nixos/components/network/sshd/known-hosts-public.nix
diff --git a/nixos/machines/robi/configuration.nix b/nixos/machines/robi/configuration.nix
index 838fa34..0199752 100644
--- a/nixos/machines/robi/configuration.nix
+++ b/nixos/machines/robi/configuration.nix
@@ -3,14 +3,13 @@
 
     ../../system/all/borg-jobs.nix
     ../../system/all/defaults.nix
-    ../../system/all/sshd-known-hosts-bootup.nix
-    ../../system/all/sshd-known-hosts-private.nix
-    ../../system/all/sshd-known-hosts-public.nix
     ../../system/all/syncthing.nix
-    ../../system/all/tinc.nix
     ../../system/server/netdata.nix
     ../../system/server/packages.nix
 
+    ../../components/network/sshd
+    ../../system/all/tinc.nix
+
     ./hetzner.nix
 
     ./borg.nix
diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix
index a13551e..104fdb4 100644
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@@ -8,7 +8,6 @@
     ./services/home-assistant.nix
     ./services/lektor.nix
     ./services/samba-share.nix
-    ./services/sshd.nix
     ./services/videoencoder.nix
     ./services/taskwarrior-pushover.nix
     ./services/taskwarrior-autotag.nix
diff --git a/nixos/modules/services/sshd.nix b/nixos/modules/services/sshd.nix
deleted file mode 100644
index a252e27..0000000
--- a/nixos/modules/services/sshd.nix
+++ /dev/null
@@ -1,63 +0,0 @@
-{ pkgs, config, lib, ... }:
-
-with lib;
-
-let
-
-  cfg = config.services.custom.ssh;
-
-in
-{
-
-  options.services.custom.ssh = {
-    tools.enable = mkEnableOption "Add ssh tools";
-    sshd = {
-      enable = mkEnableOption "Start sshd server";
-      rootKeyFiles = mkOption {
-        type = with types; listOf path;
-        description = "keys to root login";
-        default = [ ];
-      };
-    };
-  };
-
-  config = mkMerge [
-
-    (mkIf cfg.tools.enable {
-      environment.systemPackages = with pkgs;
-        [
-          # sshuttle
-          sshfs
-        ];
-    })
-
-    (mkIf cfg.sshd.enable {
-
-      services.openssh = {
-        enable = true;
-        forwardX11 = true;
-        passwordAuthentication = false;
-      };
-
-      users.users.root.openssh.authorizedKeys.keyFiles = cfg.sshd.rootKeyFiles;
-
-      services.openssh.extraConfig = ''
-        Banner /etc/sshd/banner-line
-      '';
-
-      environment.etc."sshd/banner-line".text =
-        let
-          text = config.networking.hostName;
-          size = 80 - (lib.stringLength text);
-          space = lib.fixedWidthString size " " "";
-        in
-        ''
-          ────────────────────────────────────────────────────────────────────────────────
-          ${space}${text}
-        '';
-
-    })
-
-  ];
-
-}
diff --git a/nixos/system/all/default.nix b/nixos/system/all/default.nix
index dc0aa25..48931ef 100644
--- a/nixos/system/all/default.nix
+++ b/nixos/system/all/default.nix
@@ -3,6 +3,7 @@
   imports = [
 
     ../../modules
+    ../../components/network
 
     ./defaults.nix
 
@@ -19,10 +20,6 @@
     ./packages.nix
     ./borg-jobs.nix
     ./borg-scripts.nix
-    ./sshd-known-hosts-bootup.nix
-    ./sshd-known-hosts-private.nix
-    ./sshd-known-hosts-public.nix
-    ./sshd.nix
     ./syncthing.nix
     ./tinc.nix
     ./on-failure.nix
diff --git a/nixos/system/all/sshd.nix b/nixos/system/all/sshd.nix
deleted file mode 100644
index 463235e..0000000
--- a/nixos/system/all/sshd.nix
+++ /dev/null
@@ -1,19 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
-
-{
-
-  # not needed anymore
-  # programs.ssh.hostKeyAlgorithms = [ "ssh-rsa" "ssh-ed25519" "ecdsa-sha2-nistp256" ];
-
-  services.custom.ssh = {
-    tools.enable = true;
-    sshd = {
-      enable = true;
-      rootKeyFiles = [ (toString ../../assets/ssh/palo_rsa.pub) ];
-    };
-  };
-
-}
-
diff --git a/nixos/system/desktop/default.nix b/nixos/system/desktop/default.nix
index e3f6c8e..0b489b1 100644
--- a/nixos/system/desktop/default.nix
+++ b/nixos/system/desktop/default.nix
@@ -19,7 +19,6 @@
     ./pass.nix
     ./remote-install.nix
     ./size.nix
-    ./sshd.nix
     ./suspend.nix
     ./user.nix
     ./x11.nix
@@ -28,6 +27,8 @@
     ./wtf.nix
   ];
 
+  component.network.sshd.onlyTincAccess = lib.mkDefault true;
+
   system.custom.suspend.enable = lib.mkDefault true;
 
   backup.dirs = [
diff --git a/nixos/system/desktop/sshd.nix b/nixos/system/desktop/sshd.nix
deleted file mode 100644
index 5762fbe..0000000
--- a/nixos/system/desktop/sshd.nix
+++ /dev/null
@@ -1,17 +0,0 @@
-{ config, lib, ... }:
-with lib;
-let cfg = config.desktop.ssh.onlyTinc;
-in {
-  options.desktop.ssh.onlyTinc = mkOption {
-    type = with types; bool;
-    default = true;
-    description = ''
-      make sure ssh is only available trough the tinc
-    '';
-  };
-  config = mkIf cfg {
-    networking.firewall.extraCommands = ''
-      iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
-    '';
-  };
-}