migrate sshd to component.sshd

nixos/components/network/default.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./sshd
+  ];
+}

nixos/components/network/sshd/default.nix

@@ -0,0 +1,84 @@
+{ pkgs, config, lib, ... }:
+
+with lib;
+with types;
+
+let
+  cfg = config.component.network.sshd;
+  defaultRootKeyFiles = [ (toString ../../../assets/ssh/palo_rsa.pub) ];
+in
+{
+
+  imports = [
+    ./known-hosts-bootup.nix
+    ./known-hosts-private.nix
+    ./known-hosts-public.nix
+  ];
+
+  options.component.network.sshd = {
+    enable = mkOption {
+      type = bool;
+      default = true;
+      description = "add ssh tools";
+    };
+    rootKeyFiles = mkOption {
+      type = with types; listOf path;
+      default = [ ];
+      description = "keys to root login";
+    };
+    tools.enable = mkOption {
+      type = bool;
+      default = true;
+      description = "add ssh tools";
+    };
+    onlyTincAccess = mkOption {
+      type = bool;
+      default = false;
+      description = ''
+        make sure ssh is only available trough the tinc
+      '';
+    };
+  };
+
+  config = mkMerge [
+
+    (mkIf cfg.tools.enable {
+      environment.systemPackages = [ pkgs.sshfs ];
+    })
+
+    (mkIf cfg.enable {
+
+      services.openssh = {
+        enable = true;
+        forwardX11 = false;
+        passwordAuthentication = false;
+      };
+
+      users.users.root.openssh.authorizedKeys.keyFiles =
+        cfg.rootKeyFiles ++ defaultRootKeyFiles;
+
+      services.openssh.extraConfig = ''
+        Banner /etc/ssh/banner-line
+      '';
+
+      environment.etc."ssh/banner-line".text =
+        let
+          text = config.networking.hostName;
+          size = 80 - (lib.stringLength text);
+          space = lib.fixedWidthString size " " "";
+        in
+        ''
+          ────────────────────────────────────────────────────────────────────────────────
+          ${space}${text}
+        '';
+
+    })
+
+    (mkIf (cfg.onlyTincAccess && cfg.enable) {
+      networking.firewall.extraCommands = ''
+        iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
+      '';
+    })
+  ];
+
+}

nixos/machines/robi/configuration.nix

@@ -3,14 +3,13 @@
 
     ../../system/all/borg-jobs.nix
     ../../system/all/defaults.nix
-    ../../system/all/sshd-known-hosts-bootup.nix
-    ../../system/all/sshd-known-hosts-private.nix
-    ../../system/all/sshd-known-hosts-public.nix
     ../../system/all/syncthing.nix
-    ../../system/all/tinc.nix
     ../../system/server/netdata.nix
     ../../system/server/packages.nix
 
+    ../../components/network/sshd
+    ../../system/all/tinc.nix
+
     ./hetzner.nix
 
     ./borg.nix

nixos/modules/default.nix

@@ -8,7 +8,6 @@
     ./services/home-assistant.nix
     ./services/lektor.nix
     ./services/samba-share.nix
-    ./services/sshd.nix
     ./services/videoencoder.nix
     ./services/taskwarrior-pushover.nix
     ./services/taskwarrior-autotag.nix

nixos/modules/services/sshd.nix

@@ -1,63 +0,0 @@
-{ pkgs, config, lib, ... }:
-
-with lib;
-
-let
-
-  cfg = config.services.custom.ssh;
-
-in
-{
-
-  options.services.custom.ssh = {
-    tools.enable = mkEnableOption "Add ssh tools";
-    sshd = {
-      enable = mkEnableOption "Start sshd server";
-      rootKeyFiles = mkOption {
-        type = with types; listOf path;
-        description = "keys to root login";
-        default = [ ];
-      };
-    };
-  };
-
-  config = mkMerge [
-
-    (mkIf cfg.tools.enable {
-      environment.systemPackages = with pkgs;
-        [
-          # sshuttle
-          sshfs
-        ];
-    })
-
-    (mkIf cfg.sshd.enable {
-
-      services.openssh = {
-        enable = true;
-        forwardX11 = true;
-        passwordAuthentication = false;
-      };
-
-      users.users.root.openssh.authorizedKeys.keyFiles = cfg.sshd.rootKeyFiles;
-
-      services.openssh.extraConfig = ''
-        Banner /etc/sshd/banner-line
-      '';
-
-      environment.etc."sshd/banner-line".text =
-        let
-          text = config.networking.hostName;
-          size = 80 - (lib.stringLength text);
-          space = lib.fixedWidthString size " " "";
-        in
-        ''
-          ────────────────────────────────────────────────────────────────────────────────
-          ${space}${text}
-        '';
-
-    })
-
-  ];
-
-}

nixos/system/all/default.nix

@@ -3,6 +3,7 @@
   imports = [
 
     ../../modules
+    ../../components/network
 
     ./defaults.nix
 
@@ -19,10 +20,6 @@
     ./packages.nix
     ./borg-jobs.nix
     ./borg-scripts.nix
-    ./sshd-known-hosts-bootup.nix
-    ./sshd-known-hosts-private.nix
-    ./sshd-known-hosts-public.nix
-    ./sshd.nix
     ./syncthing.nix
     ./tinc.nix
     ./on-failure.nix

nixos/system/all/sshd.nix

@@ -1,19 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
-
-{
-
-  # not needed anymore
-  # programs.ssh.hostKeyAlgorithms = [ "ssh-rsa" "ssh-ed25519" "ecdsa-sha2-nistp256" ];
-
-  services.custom.ssh = {
-    tools.enable = true;
-    sshd = {
-      enable = true;
-      rootKeyFiles = [ (toString ../../assets/ssh/palo_rsa.pub) ];
-    };
-  };
-
-}
-

nixos/system/desktop/default.nix

@@ -19,7 +19,6 @@
     ./pass.nix
     ./remote-install.nix
     ./size.nix
-    ./sshd.nix
     ./suspend.nix
     ./user.nix
     ./x11.nix
@@ -28,6 +27,8 @@
     ./wtf.nix
   ];
 
+  component.network.sshd.onlyTincAccess = lib.mkDefault true;
+
   system.custom.suspend.enable = lib.mkDefault true;
 
   backup.dirs = [

nixos/system/desktop/sshd.nix

@@ -1,17 +0,0 @@
-{ config, lib, ... }:
-with lib;
-let cfg = config.desktop.ssh.onlyTinc;
-in {
-  options.desktop.ssh.onlyTinc = mkOption {
-    type = with types; bool;
-    default = true;
-    description = ''
-      make sure ssh is only available trough the tinc
-    '';
-  };
-  config = mkIf cfg {
-    networking.firewall.extraCommands = ''
-      iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
-    '';
-  };
-}