global/security: move ssh config to global/ssh

2024-05-12 00:01:53 -04:00 · 2024-05-12 00:01:53 -04:00 · 1e67729be0
commit 1e67729be0
parent 6a561560c9
2 changed files with 29 additions and 26 deletions
--- a/modules/global/security.nix
+++ b/modules/global/security.nix
@ -34,32 +34,6 @@ with lib;
  # Allow non-root users to allow other users to access mount point
  programs.fuse.userAllowOther = mkDefault true;

-  # For rage encryption, all hosts need a ssh key pair
-  services.openssh = {
-    enable = true;
-    openFirewall = mkDefault true;
-    settings = {
-      X11Forwarding = mkDefault false;
-      GatewayPorts = mkDefault "yes";
-    };
-    hostKeys = mkDefault [{
-      path = "/etc/ssh/ssh_host_ed25519_key";
-      type = "ed25519";
-    }];
-  };
-
-  programs.ssh = {
-    extraConfig = with config.common; ''
-      Host rsync.net
-          Hostname ${rsyncnet.host}
-          User ${rsyncnet.user}
-
-      Host admin.rsync.net
-          Hostname ${rsyncnet.host}
-          User ${rsyncnet.account}
-    '';
-  };
-
  services.nginx = {
    statusPage = true;
    recommendedTlsSettings = true;
--- a/modules/global/ssh.nix
+++ b/modules/global/ssh.nix
@ -0,0 +1,29 @@
+{ config, lib, ... }:
+with lib;
+{
+  # For rage encryption, all hosts need a ssh key pair
+  services.openssh = {
+    enable = true;
+    openFirewall = mkDefault true;
+    settings = {
+      X11Forwarding = mkDefault false;
+      GatewayPorts = mkDefault "yes";
+    };
+    hostKeys = mkDefault [{
+      path = "/etc/ssh/ssh_host_ed25519_key";
+      type = "ed25519";
+    }];
+  };
+
+  programs.ssh = {
+    extraConfig = with config.common; ''
+      Host rsync.net
+          Hostname ${rsyncnet.host}
+          User ${rsyncnet.user}
+
+      Host admin.rsync.net
+          Hostname ${rsyncnet.host}
+          User ${rsyncnet.account}
+    '';
+  };
+}