From a5112e322ed843cf71c7cfec4e957defdc075f0c Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Fri, 12 Dec 2025 21:09:39 -0500
Subject: [PATCH] ssh: move to seperate file

---
 configuration.nix | 26 ++------------------------
 services/ssh.nix  | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 24 deletions(-)
 create mode 100644 services/ssh.nix

diff --git a/configuration.nix b/configuration.nix
index fc608e0..862ab94 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -45,6 +45,8 @@
     ./services/caddy_senior_project.nix
 
     ./services/graphing-calculator.nix
+
+    ./services/ssh.nix
   ];
 
   services.kmscon.enable = true;
@@ -122,19 +124,6 @@
   # Set your time zone.
   time.timeZone = "America/New_York";
 
-  # Enable the OpenSSH daemon.
-  services.openssh = {
-    enable = true;
-    settings = {
-      AllowUsers = [
-        username
-        "root"
-      ];
-      PasswordAuthentication = false;
-      PermitRootLogin = "yes"; # for deploying configs
-    };
-  };
-
   hardware.graphics = {
     enable = true;
     extraPackages = with pkgs; [
@@ -236,20 +225,9 @@
       "render"
       service_configs.media_group
     ];
-
-    # TODO! use proper secrets management
     hashedPasswordFile = config.age.secrets.hashedPass.path;
-
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi" # desktop
-    ];
   };
 
-  # used for deploying configs to server
-  users.users.root.openssh.authorizedKeys.keys =
-    config.users.users.${username}.openssh.authorizedKeys.keys;
-
   # https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
   programs.fish.enable = true;
   programs.bash = {
diff --git a/services/ssh.nix b/services/ssh.nix
new file mode 100644
index 0000000..71646ef
--- /dev/null
+++ b/services/ssh.nix
@@ -0,0 +1,35 @@
+{
+  config,
+  lib,
+  pkgs,
+  username,
+  ...
+}:
+{
+  # Enable the OpenSSH daemon.
+  services.openssh = {
+    enable = true;
+    settings = {
+      AllowUsers = [
+        username
+        "root"
+      ];
+      PasswordAuthentication = false;
+      PermitRootLogin = "yes"; # for deploying configs
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "Z /etc/ssh 755 root root"
+  ];
+
+  users.users.${username}.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi" # desktop
+  ];
+
+  # used for deploying configs to server
+  users.users.root.openssh.authorizedKeys.keys =
+    config.users.users.${username}.openssh.authorizedKeys.keys;
+
+}