From 828b5d73743041fbb0bd086f0b8035c515ae05d8 Mon Sep 17 00:00:00 2001
From: Hektor Misplon <hektor.misplon@pm.me>
Date: Wed, 11 Mar 2026 14:49:23 +0100
Subject: [PATCH] refactor(hosts): use modules/ssh with sensible defaults

---
 hosts/andromache/default.nix             | 15 ++++-----------
 hosts/astyanax/default.nix               |  6 +-----
 hosts/eetion-02/default.nix              |  9 +--------
 hosts/eetion/default.nix                 |  7 +------
 hosts/hecuba/default.nix                 |  7 +------
 hosts/vm/default.nix                     |  6 +-----
 images/sd-image-orange-pi-aarch64.nix    | 18 +-----------------
 images/sd-image-raspberry-pi-aarch64.nix |  7 +------
 8 files changed, 11 insertions(+), 64 deletions(-)

diff --git a/hosts/andromache/default.nix b/hosts/andromache/default.nix
index b4c05c9..973413c 100644
--- a/hosts/andromache/default.nix
+++ b/hosts/andromache/default.nix
@@ -35,7 +35,7 @@ in
     ../../modules/audio
     ../../modules/localization
     ../../modules/fonts
-    ../../modules/ssh/hardened-openssh.nix
+    ../../modules/ssh
     ../../modules/storage
     ../../modules/stylix
     (import ../../modules/secrets { inherit lib inputs config; })
@@ -111,16 +111,9 @@ in
     ];
   };
 
-  services = {
-    locate = {
-      enable = true;
-      package = pkgs.plocate;
-    };
-
-    openssh = {
-      enable = true;
-      harden = true;
-    };
+  services.locate = {
+    enable = true;
+    package = pkgs.plocate;
   };
 
   networking = {
diff --git a/hosts/astyanax/default.nix b/hosts/astyanax/default.nix
index b195067..12113bd 100644
--- a/hosts/astyanax/default.nix
+++ b/hosts/astyanax/default.nix
@@ -34,7 +34,7 @@ in
     ../../modules/users
     ../../modules/localization
     ../../modules/fonts
-    ../../modules/ssh/hardened-openssh.nix
+    ../../modules/ssh
     ../../modules/storage
     ../../modules/stylix
     (import ../../modules/secrets { inherit lib inputs config; })
@@ -100,10 +100,6 @@ in
 
   services = {
     fwupd.enable = true;
-    openssh = {
-      enable = true;
-      harden = true;
-    };
     locate = {
       enable = true;
       package = pkgs.plocate;
diff --git a/hosts/eetion-02/default.nix b/hosts/eetion-02/default.nix
index cb35d58..e359824 100644
--- a/hosts/eetion-02/default.nix
+++ b/hosts/eetion-02/default.nix
@@ -10,7 +10,7 @@ in
 {
   imports = [
     ./hard.nix
-    ../../modules/ssh/hardened-openssh.nix
+    ../../modules/ssh
   ];
 
   ssh = {
@@ -59,13 +59,6 @@ in
 
   security.sudo.wheelNeedsPassword = false;
 
-  services = {
-    openssh = {
-      enable = true;
-      harden = true;
-    };
-  };
-
   environment.systemPackages = with pkgs; [
     vim
     git
diff --git a/hosts/eetion/default.nix b/hosts/eetion/default.nix
index 7ed9e00..f8c0963 100644
--- a/hosts/eetion/default.nix
+++ b/hosts/eetion/default.nix
@@ -10,7 +10,7 @@ in
 {
   imports = [
     ./hard.nix
-    ../../modules/ssh/hardened-openssh.nix
+    ../../modules/ssh
   ];
 
   ssh = {
@@ -52,11 +52,6 @@ in
   security.sudo.wheelNeedsPassword = false;
 
   services = {
-    openssh = {
-      enable = true;
-      harden = true;
-    };
-
     paperless = {
       enable = true;
       passwordFile = "/etc/paperless-admin-pass";
diff --git a/hosts/hecuba/default.nix b/hosts/hecuba/default.nix
index be459e2..acb642f 100644
--- a/hosts/hecuba/default.nix
+++ b/hosts/hecuba/default.nix
@@ -15,7 +15,7 @@ in
     inputs.disko.nixosModules.disko
     ../../modules/common
     ./hard.nix
-    ../../modules/ssh/hardened-openssh.nix
+    ../../modules/ssh
     ../../modules/docker
     ../../modules/uptime-kuma
   ];
@@ -78,9 +78,4 @@ in
     enable = true;
     maxretry = 5;
   };
-
-  services.openssh = {
-    enable = true;
-    harden = true;
-  };
 }
diff --git a/hosts/vm/default.nix b/hosts/vm/default.nix
index 4cd3bf0..f23db79 100644
--- a/hosts/vm/default.nix
+++ b/hosts/vm/default.nix
@@ -24,7 +24,7 @@ in
     ../../modules/localization
     ../../modules/x
     ../../modules/fonts
-    ../../modules/ssh/hardened-openssh.nix
+    ../../modules/ssh
     ../../modules/storage
     (import ../../modules/secrets {
       inherit lib inputs config;
@@ -63,9 +63,5 @@ in
   services = {
     qemuGuest.enable = true;
     spice-vdagentd.enable = true;
-    openssh = {
-      enable = true;
-      harden = true;
-    };
   };
 }
diff --git a/images/sd-image-orange-pi-aarch64.nix b/images/sd-image-orange-pi-aarch64.nix
index 47e1563..f0686ac 100644
--- a/images/sd-image-orange-pi-aarch64.nix
+++ b/images/sd-image-orange-pi-aarch64.nix
@@ -12,7 +12,7 @@ let
 in
 {
   imports = [
-    ../modules/ssh/hardened-openssh.nix
+    ../modules/ssh
   ];
 
   ssh.username = username;
@@ -37,21 +37,5 @@ in
 
   security.sudo.wheelNeedsPassword = false;
 
-  services.openssh = {
-    enable = true;
-    harden = true;
-  };
-
-  # sdImage.postBuildCommands =
-  #   let
-  #     bootloaderPackage = pkgs.ubootOrangePiZero2;
-  #     bootloaderSubpath = "/u-boot-sunxi-with-spl.bin";
-  #   in
-  #   ''
-  #     dd if=${bootloaderPackage}${bootloaderSubpath} of=$img \
-  #       bs=8 seek=1024 \
-  #       conv=notrunc
-  #   '';
-
   system.stateVersion = "26.05";
 }
diff --git a/images/sd-image-raspberry-pi-aarch64.nix b/images/sd-image-raspberry-pi-aarch64.nix
index 5165c01..8ac5af6 100644
--- a/images/sd-image-raspberry-pi-aarch64.nix
+++ b/images/sd-image-raspberry-pi-aarch64.nix
@@ -12,7 +12,7 @@ let
 in
 {
   imports = [
-    ../modules/ssh/hardened-openssh.nix
+    ../modules/ssh
   ];
 
   ssh.username = username;
@@ -60,11 +60,6 @@ in
 
   security.sudo.wheelNeedsPassword = false;
 
-  services.openssh = {
-    enable = true;
-    harden = true;
-  };
-
   environment.systemPackages = with pkgs; [
     libraspberrypi
   ];