From 4cca387389bcc4d227a51019dd06409b6de14137 Mon Sep 17 00:00:00 2001
From: Victor Mignot <dala@dalaran.fr>
Date: Tue, 10 Dec 2024 12:59:37 +0100
Subject: [PATCH] Servers: Remove RSA SSH keys

---
 modules/common/network.nix | 22 +++++++++++++++++++++-
 modules/server/network.nix | 11 -----------
 2 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/modules/common/network.nix b/modules/common/network.nix
index 93a3fb3..a46d32b 100644
--- a/modules/common/network.nix
+++ b/modules/common/network.nix
@@ -1,9 +1,29 @@
-{ lib, config, ... }:
+{ lib, ... }:
 with lib;
 {
   config = {
     networking.networkmanager.enable = true;
     networking.useDHCP = mkDefault true;
     networking.firewall.enable = true;
+
+    services.openssh = {
+      enable = true;
+      settings = {
+        StrictModes = true;
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitEmptyPasswords = "no";
+      };
+
+      openFirewall = true;
+
+      hostKeys = [
+        {
+          comment = "Main key";
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+      ];
+    };
   };
 }
diff --git a/modules/server/network.nix b/modules/server/network.nix
index ae06ce3..9b646c9 100644
--- a/modules/server/network.nix
+++ b/modules/server/network.nix
@@ -2,20 +2,9 @@
 with lib;
 {
   config = {
-    services.openssh = {
-      enable = true;
-      settings = {
-        StrictModes = true;
-        PasswordAuthentication = false;
-        KbdInteractiveAuthentication = false;
-        PermitEmptyPasswords = "no";
-      };
-    };
-
     networking.firewall.allowedTCPPorts = [
       (mkIf config.services.nginx.enable 80)
       (mkIf config.services.nginx.enable 443)
-      (mkIf config.services.openssh.enable 22)
     ];
   };
 }