machines/congenital-optimist/configuration.nix

@@ -7,7 +7,7 @@
 }: {
   imports = [
     ./hardware-configuration.nix
-    ./network-congenital-optimist.nix
+    ../../modules/network/network-congenital-optimist.nix
     
     # Security modules
     ../../modules/security/ssh-keys.nix

machines/sleeper-service/configuration.nix

@@ -4,9 +4,9 @@
     # Security modules
     ../../modules/security/ssh-keys.nix
     # Network configuration
-    ./network-sleeper-service.nix
+    ../../modules/network/network-sleeper-service.nix
     # Services
-    ./nfs.nix
+    ../../modules/services/nfs.nix
     ../../modules/system/transmission.nix
 
     # User modules - server only needs sma user

modules/network/common.nix

@@ -1,5 +1,5 @@
 # Common Network Configuration
-# Minimal shared networking settings across all machines
+# Shared networking settings across all machines
 { config, pkgs, ... }:
 
 {
@@ -8,10 +8,11 @@
     # Enable nftables by default for all machines
     nftables.enable = true;
     
-    # Basic firewall settings (SSH handled by security/ssh-keys.nix)
+    # Common firewall settings
     firewall = {
       enable = true;
-      # SSH port is configured in modules/security/ssh-keys.nix
+      # SSH is allowed by default on all machines
+      allowedTCPPorts = [ 22 ];
     };
   };
 
@@ -20,6 +21,13 @@
     # Tailscale VPN for secure remote access
     tailscale.enable = true;
     
-    # Note: SSH configuration is handled by modules/security/ssh-keys.nix
+    # SSH access with secure defaults
+    openssh = {
+      enable = true;
+      settings = {
+        PermitRootLogin = "no";
+        PasswordAuthentication = false;
+      };
+    };
   };
 }

modules/network/network-congenital-optimist.nix

@@ -4,7 +4,7 @@
 
 {
   imports = [
-    ../../modules/network/common.nix
+    ./common.nix
   ];
 
   # Machine-specific network configuration

modules/network/network-sleeper-service.nix

@@ -4,7 +4,7 @@
 
 {
   imports = [
-    ../../modules/network/common.nix
+    ./common.nix
   ];
 
   # Machine-specific network configuration

modules/security/ssh-keys.nix

@@ -3,9 +3,6 @@
 { config, pkgs, lib, ... }:
 
 {
-  # Firewall configuration for SSH
-  networking.firewall.allowedTCPPorts = [ 22 ];
-
   # Global SSH daemon configuration
   services.openssh = {
     enable = true;

notes.md

@@ -1,9 +1,5 @@
 # Notes to be use to write blog post 
 
+deployment script: rsync -av --delete /home/geir/Home-lab/ sma@sleeper-service:/tmp/home-lab-config/ and ssh sma@sleeper-service "cd /tmp/home-lab-config && sudo nixos-rebuild boot --flake .#sleeper-service"
 
-- research deploy-rs
+like the best approach maye we should add a todo for making scripts or research deploy-rs
-
-# Expansion
-## Hardware 
-- https://sipeed.com/nanocluster - ai cluster
-- https://www.bee-link.com/products/beelink-me-mini-n150?variant=47599172845810 - upgrade nas/storage

plan.md

@@ -515,20 +515,7 @@ Home-lab/
 - [ ] Configuration validation tests
 - [ ] Deployment automation
 - [ ] Monitoring and alerting
-
+### 6.3 Writeup
-### 6.3 Advanced Deployment Strategies
-- [ ] **Research deploy-rs**: Investigate deploy-rs as alternative to custom lab script
-  - Evaluate Rust-based deployment tool for NixOS flakes
-  - Compare features: parallel deployment, rollback capabilities, health checks
-  - Assess integration with existing SSH key management and Tailscale network
-  - Consider migration path from current rsync + SSH approach
-- [ ] **Convert lab script to Guile Scheme**: Explore functional deployment scripting
-  - Research Guile Scheme for system administration scripting
-  - Evaluate benefits: better error handling, functional composition, extensibility
-  - Design modular deployment pipeline with Scheme
-  - Consider integration with GNU Guix deployment patterns
-  - Plan migration strategy from current shell script implementation
-### 6.4 Writeup
 - [ ] Take all the knowledge we have amassed and make a blog post or a series of blog posts
 
 ### Phase 7: goin pro