From eb70c898a0a94630354a8d05c2f4e6455d277ebc Mon Sep 17 00:00:00 2001
From: Aaron Bieber <aaron@bolddaemon.com>
Date: Mon, 1 Jul 2024 13:15:07 -0600
Subject: [PATCH] all: move ssh config to configs/ssh

---
 configs/default.nix  |  1 +
 configs/ssh.nix      | 58 ++++++++++++++++++++++++++++++++++++++++++++
 default.nix          | 42 +-------------------------------
 hosts/tv/default.nix |  1 +
 4 files changed, 61 insertions(+), 41 deletions(-)
 create mode 100644 configs/ssh.nix

diff --git a/configs/default.nix b/configs/default.nix
index 637f755..09ceb0d 100644
--- a/configs/default.nix
+++ b/configs/default.nix
@@ -14,6 +14,7 @@
     ./net-overlay.nix
     ./nix.nix
     ./polybar.nix
+    ./ssh.nix
     ./tmux.nix
     ./update.nix
     ./zsh.nix
diff --git a/configs/ssh.nix b/configs/ssh.nix
new file mode 100644
index 0000000..a0ff804
--- /dev/null
+++ b/configs/ssh.nix
@@ -0,0 +1,58 @@
+{ config
+, lib
+, pkgs
+, xinlib
+, ...
+}:
+let
+  myOpenSSH = pkgs.pkgsMusl.callPackage ../pkgs/openssh.nix {
+    inherit config;
+    inherit xinlib;
+  };
+in
+{
+  config = {
+    programs = {
+      ssh = {
+        package = lib.mkDefault myOpenSSH;
+        agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
+        knownHosts = {
+          "[namish.otter-alligator.ts.net]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9jlU5XATs8N90mXuCqrflwOJ+s3s7LefDmFZBx8cCk";
+          "[git.tapenet.org]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkbSJWeWJyJjak/boaMTqzPVq91wfJz1P+I4rnBUsPW";
+        };
+        knownHostsFiles = [ ./ssh_known_hosts ];
+        startAgent = true;
+        agentTimeout = "100m";
+        extraConfig = ''
+          Host *
+            controlmaster         auto
+            controlpath           /tmp/ssh-%r@%h:%p
+
+          VerifyHostKeyDNS	yes
+          AddKeysToAgent	90m
+          CanonicalizeHostname	always
+        '';
+      };
+    };
+
+    services = {
+      openssh = {
+        enable = true;
+        extraConfig = ''
+          TrustedUserCAKeys = /etc/ssh/ca.pub
+        '';
+        settings = {
+          PrintMotd = true;
+          PermitRootLogin = "prohibit-password";
+          PasswordAuthentication = false;
+          KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
+          Macs = [
+            "hmac-sha2-512-etm@openssh.com"
+            "hmac-sha2-256-etm@openssh.com"
+            "umac-128-etm@openssh.com"
+          ];
+        };
+      };
+    };
+  };
+}
diff --git a/default.nix b/default.nix
index 47dfe05..ee0069e 100644
--- a/default.nix
+++ b/default.nix
@@ -16,10 +16,7 @@ let
     command="/run/current-system/sw/bin/xin",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9PIhQ+yWfBM2tEG+W8W8HXJXqISXif8BcPZHakKvLM xin-status
   '';
   gosignify = pkgs.callPackage ./pkgs/gosignify.nix { inherit isUnstable; };
-  myOpenSSH = pkgs.pkgsMusl.callPackage ./pkgs/openssh.nix {
-    inherit config;
-    inherit xinlib;
-  };
+
   xin = pkgs.perlPackages.callPackage ./bins/xin { inherit pkgs; };
 in
 {
@@ -216,26 +213,6 @@ in
     programs = {
       zsh.enable = true;
       gnupg.agent.enable = true;
-      ssh = {
-        package = lib.mkDefault myOpenSSH;
-        agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
-        knownHosts = {
-          "[namish.otter-alligator.ts.net]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9jlU5XATs8N90mXuCqrflwOJ+s3s7LefDmFZBx8cCk";
-          "[git.tapenet.org]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkbSJWeWJyJjak/boaMTqzPVq91wfJz1P+I4rnBUsPW";
-        };
-        knownHostsFiles = [ ./configs/ssh_known_hosts ];
-        startAgent = true;
-        agentTimeout = "100m";
-        extraConfig = ''
-          Host *
-            controlmaster         auto
-            controlpath           /tmp/ssh-%r@%h:%p
-
-          VerifyHostKeyDNS	yes
-          AddKeysToAgent	90m
-          CanonicalizeHostname	always
-        '';
-      };
     };
 
     services.logrotate.checkConfig =
@@ -243,23 +220,6 @@ in
 
     services = {
       smartd.enable = lib.mkDefault true;
-      openssh = {
-        enable = true;
-        extraConfig = ''
-          TrustedUserCAKeys = /etc/ssh/ca.pub
-        '';
-        settings = {
-          PrintMotd = true;
-          PermitRootLogin = "prohibit-password";
-          PasswordAuthentication = false;
-          KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
-          Macs = [
-            "hmac-sha2-512-etm@openssh.com"
-            "hmac-sha2-256-etm@openssh.com"
-            "umac-128-etm@openssh.com"
-          ];
-        };
-      };
     };
   };
 }
diff --git a/hosts/tv/default.nix b/hosts/tv/default.nix
index 1e9f491..aa78e10 100644
--- a/hosts/tv/default.nix
+++ b/hosts/tv/default.nix
@@ -21,6 +21,7 @@ in
   imports = [
     ./hardware-configuration.nix
     ../../configs/zsh.nix
+    ../../configs/ssh.nix
   ];
 
   needsDeploy.enable = false;