From e976b14d19c4cbedcc61eae7609900e89a98f989 Mon Sep 17 00:00:00 2001
From: Geir Okkenhaug Jerstad <geokkjer@gmail.com>
Date: Fri, 6 Jun 2025 18:08:45 +0200
Subject: [PATCH] refactor: Move network configurations to machine directories

- Move network-congenital-optimist.nix to machines/congenital-optimist/
- Move network-sleeper-service.nix to machines/sleeper-service/
- Update import paths in machine configurations
- Clean up modules/network/common.nix to remove SSH duplication
- Consolidate SSH configuration in modules/security/ssh-keys.nix
- Remove machine-specific networking from shared common module

This improves dependency tracking by co-locating machine-specific
network configurations with their respective machines.
---
 machines/congenital-optimist/configuration.nix   |  2 +-
 .../network-congenital-optimist.nix              |  2 +-
 machines/sleeper-service/configuration.nix       |  4 ++--
 .../sleeper-service}/network-sleeper-service.nix |  2 +-
 modules/network/common.nix                       | 16 ++++------------
 modules/security/ssh-keys.nix                    |  3 +++
 6 files changed, 12 insertions(+), 17 deletions(-)
 rename {modules/network => machines/congenital-optimist}/network-congenital-optimist.nix (91%)
 rename {modules/network => machines/sleeper-service}/network-sleeper-service.nix (97%)

diff --git a/machines/congenital-optimist/configuration.nix b/machines/congenital-optimist/configuration.nix
index 8b2bc00..7f1b1d5 100644
--- a/machines/congenital-optimist/configuration.nix
+++ b/machines/congenital-optimist/configuration.nix
@@ -7,7 +7,7 @@
 }: {
   imports = [
     ./hardware-configuration.nix
-    ../../modules/network/network-congenital-optimist.nix
+    ./network-congenital-optimist.nix
     
     # Security modules
     ../../modules/security/ssh-keys.nix
diff --git a/modules/network/network-congenital-optimist.nix b/machines/congenital-optimist/network-congenital-optimist.nix
similarity index 91%
rename from modules/network/network-congenital-optimist.nix
rename to machines/congenital-optimist/network-congenital-optimist.nix
index 83fb677..0d0e4cc 100644
--- a/modules/network/network-congenital-optimist.nix
+++ b/machines/congenital-optimist/network-congenital-optimist.nix
@@ -4,7 +4,7 @@
 
 {
   imports = [
-    ./common.nix
+    ../../modules/network/common.nix
   ];
 
   # Machine-specific network configuration
diff --git a/machines/sleeper-service/configuration.nix b/machines/sleeper-service/configuration.nix
index 8ff1dcf..e52d3ee 100644
--- a/machines/sleeper-service/configuration.nix
+++ b/machines/sleeper-service/configuration.nix
@@ -4,9 +4,9 @@
     # Security modules
     ../../modules/security/ssh-keys.nix
     # Network configuration
-    ../../modules/network/network-sleeper-service.nix
+    ./network-sleeper-service.nix
     # Services
-    ../../modules/services/nfs.nix
+    ./nfs.nix
     ../../modules/system/transmission.nix
 
     # User modules - server only needs sma user
diff --git a/modules/network/network-sleeper-service.nix b/machines/sleeper-service/network-sleeper-service.nix
similarity index 97%
rename from modules/network/network-sleeper-service.nix
rename to machines/sleeper-service/network-sleeper-service.nix
index 9f3cb44..b441c0d 100644
--- a/modules/network/network-sleeper-service.nix
+++ b/machines/sleeper-service/network-sleeper-service.nix
@@ -4,7 +4,7 @@
 
 {
   imports = [
-    ./common.nix
+    ../../modules/network/common.nix
   ];
 
   # Machine-specific network configuration
diff --git a/modules/network/common.nix b/modules/network/common.nix
index ccb21da..a50c853 100644
--- a/modules/network/common.nix
+++ b/modules/network/common.nix
@@ -1,5 +1,5 @@
 # Common Network Configuration
-# Shared networking settings across all machines
+# Minimal shared networking settings across all machines
 { config, pkgs, ... }:
 
 {
@@ -8,11 +8,10 @@
     # Enable nftables by default for all machines
     nftables.enable = true;
     
-    # Common firewall settings
+    # Basic firewall settings (SSH handled by security/ssh-keys.nix)
     firewall = {
       enable = true;
-      # SSH is allowed by default on all machines
-      allowedTCPPorts = [ 22 ];
+      # SSH port is configured in modules/security/ssh-keys.nix
     };
   };
 
@@ -21,13 +20,6 @@
     # Tailscale VPN for secure remote access
     tailscale.enable = true;
     
-    # SSH access with secure defaults
-    openssh = {
-      enable = true;
-      settings = {
-        PermitRootLogin = "no";
-        PasswordAuthentication = false;
-      };
-    };
+    # Note: SSH configuration is handled by modules/security/ssh-keys.nix
   };
 }
\ No newline at end of file
diff --git a/modules/security/ssh-keys.nix b/modules/security/ssh-keys.nix
index 26f70d6..32668bd 100644
--- a/modules/security/ssh-keys.nix
+++ b/modules/security/ssh-keys.nix
@@ -3,6 +3,9 @@
 { config, pkgs, lib, ... }:
 
 {
+  # Firewall configuration for SSH
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
   # Global SSH daemon configuration
   services.openssh = {
     enable = true;