refactor: Move network configurations to machine directories

- Move network-congenital-optimist.nix to machines/congenital-optimist/
- Move network-sleeper-service.nix to machines/sleeper-service/
- Update import paths in machine configurations
- Clean up modules/network/common.nix to remove SSH duplication
- Consolidate SSH configuration in modules/security/ssh-keys.nix
- Remove machine-specific networking from shared common module

This improves dependency tracking by co-locating machine-specific
network configurations with their respective machines.

machines/congenital-optimist/configuration.nix

@@ -7,7 +7,7 @@
 }: {
   imports = [
     ./hardware-configuration.nix
-    ../../modules/network/network-congenital-optimist.nix
+    ./network-congenital-optimist.nix
     
     # Security modules
     ../../modules/security/ssh-keys.nix

machines/congenital-optimist/network-congenital-optimist.nix

@@ -4,7 +4,7 @@
 
 {
   imports = [
-    ./common.nix
+    ../../modules/network/common.nix
   ];
 
   # Machine-specific network configuration

machines/sleeper-service/configuration.nix

@@ -4,9 +4,9 @@
     # Security modules
     ../../modules/security/ssh-keys.nix
     # Network configuration
-    ../../modules/network/network-sleeper-service.nix
+    ./network-sleeper-service.nix
     # Services
-    ../../modules/services/nfs.nix
+    ./nfs.nix
     ../../modules/system/transmission.nix
 
     # User modules - server only needs sma user

machines/sleeper-service/network-sleeper-service.nix

@@ -4,7 +4,7 @@
 
 {
   imports = [
-    ./common.nix
+    ../../modules/network/common.nix
   ];
 
   # Machine-specific network configuration

modules/network/common.nix

@@ -1,5 +1,5 @@
 # Common Network Configuration
-# Shared networking settings across all machines
+# Minimal shared networking settings across all machines
 { config, pkgs, ... }:
 
 {
@@ -8,11 +8,10 @@
     # Enable nftables by default for all machines
     nftables.enable = true;
     
-    # Common firewall settings
+    # Basic firewall settings (SSH handled by security/ssh-keys.nix)
     firewall = {
       enable = true;
-      # SSH is allowed by default on all machines
+      # SSH port is configured in modules/security/ssh-keys.nix
-      allowedTCPPorts = [ 22 ];
     };
   };
 
@@ -21,13 +20,6 @@
     # Tailscale VPN for secure remote access
     tailscale.enable = true;
     
-    # SSH access with secure defaults
+    # Note: SSH configuration is handled by modules/security/ssh-keys.nix
-    openssh = {
-      enable = true;
-      settings = {
-        PermitRootLogin = "no";
-        PasswordAuthentication = false;
-      };
-    };
   };
 }

modules/security/ssh-keys.nix

@@ -3,6 +3,9 @@
 { config, pkgs, lib, ... }:
 
 {
+  # Firewall configuration for SSH
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
   # Global SSH daemon configuration
   services.openssh = {
     enable = true;