From 9046677414b77a7e847c3649f066622845f7f338 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christopher=20M=C3=BChl?= <toki@toph.so>
Date: Tue, 6 Jan 2026 03:40:45 +0100
Subject: [PATCH] ssh by default

---
 configurations/nixos/aepplet/default.nix   |  34 ++----
 configurations/nixos/endurance/default.nix | 116 ++++++++-------------
 modules/generic/default.nix                |  16 ++-
 modules/generic/nix.nix                    |   5 +
 modules/generic/ssh.nix                    |  10 ++
 5 files changed, 81 insertions(+), 100 deletions(-)
 create mode 100644 modules/generic/ssh.nix

diff --git a/configurations/nixos/aepplet/default.nix b/configurations/nixos/aepplet/default.nix
index 361cb24..35504d7 100644
--- a/configurations/nixos/aepplet/default.nix
+++ b/configurations/nixos/aepplet/default.nix
@@ -10,50 +10,32 @@
   ];
 
   bosun = {
-    # quirks = ["avahi" "docker"];
-
     key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPjqieS4GkYAa1WRYZpxjgYsj7VGZ9U+rTFCkX8M0umD";
+
+    profiles = {
+      docker.enable = true;
+      work.enable = true;
+    };
   };
 
   system.stateVersion = "24.11";
 
-  # Enable nix flakes
-  nix = {
-    package = pkgs.nixVersions.stable;
-    extraOptions = ''
-      experimental-features = nix-command flakes
-    '';
-  };
-
-  services.openssh = {
-    enable = true;
-    settings = {
-      PasswordAuthentication = false;
-      AllowUsers = ["toph"];
-    };
-  };
-
   # Set the default drive, which in the case of Mercury is
   # a VirtualBox image.
   disko.devices.disk.main.device = "/dev/sda";
 
   boot.loader.grub.enable = true;
-  networking.hostName = "aepplet";
-  time.timeZone = "Europe/Berlin";
 
   environment.systemPackages = with pkgs; [
     inputs.docker-compose-1.legacyPackages."x86_64-linux".docker-compose
     gnumake
   ];
 
-  console = {
-    font = "Lat2-Terminus16";
-    keyMap = lib.mkForce "de";
+  programs = {
+    vim.enable = true;
+    git.enable = true;
   };
 
-  programs.vim.enable = true;
-  programs.git.enable = true;
-
   # Disable the firewall so that all traffic is allowed
   networking.firewall.enable = false;
 
diff --git a/configurations/nixos/endurance/default.nix b/configurations/nixos/endurance/default.nix
index 4867ac7..64ee12c 100644
--- a/configurations/nixos/endurance/default.nix
+++ b/configurations/nixos/endurance/default.nix
@@ -30,27 +30,19 @@
   };
 
   networking = {
-    hostName = "endurance";
     firewall.enable = false;
     interfaces.eno1.wakeOnLan.enable = true;
   };
 
-  # Set your time zone.
-  time.timeZone = "Europe/Berlin";
-
-  console = {
-    font = "Lat2-Terminus16";
-    useXkbConfig = true; # use xkbOptions in tty.
-  };
-
-  xdg.portal = {
-    enable = true;
-    xdgOpenUsePortal = true;
-  };
-
   programs = {
     weylus.users = ["toph"];
 
+    gnupg.agent = {
+      enable = true;
+      pinentryPackage = pkgs.pinentry-gtk2;
+      enableSSHSupport = true;
+    };
+
     dconf.enable = true;
 
     steam = {
@@ -58,10 +50,7 @@
       protontricks.enable = true;
       remotePlay.openFirewall = true;
     };
-    # VR support
     envision.enable = true;
-
-    # For game-related system optimisations
     gamemode.enable = true;
 
     _1password.enable = true;
@@ -71,6 +60,20 @@
       # require enabling PolKit integration on some desktop environments (e.g. Plasma).
       polkitPolicyOwners = ["toph"];
     };
+
+    obs-studio = {
+      enable = true;
+      enableVirtualCamera = true;
+
+      plugins = with pkgs.obs-studio-plugins; [
+        wlrobs
+        obs-vaapi
+        obs-pipewire-audio-capture
+        obs-backgroundremoval
+        obs-move-transition
+        droidcam-obs
+      ];
+    };
   };
 
   services = {
@@ -83,9 +86,6 @@
       ];
     };
 
-    openssh.enable = true;
-    openssh.settings.PasswordAuthentication = false;
-
     hardware.openrgb.enable = true;
 
     # Bluetooth manager
@@ -118,13 +118,6 @@
     #   ];
     # };
 
-    pipewire = {
-      enable = lib.mkForce true;
-      alsa.enable = true;
-      jack.enable = true;
-      pulse.enable = true;
-    };
-
     usbmuxd = {
       enable = true;
       package = pkgs.usbmuxd2;
@@ -147,19 +140,6 @@
     pcscd.enable = true;
   };
 
-  programs = {
-    thunar.enable = true;
-    thunar.plugins = with pkgs.xfce; [
-      thunar-archive-plugin
-    ];
-
-    gnupg.agent = {
-      enable = true;
-      pinentryPackage = pkgs.pinentry-gtk2;
-      enableSSHSupport = true;
-    };
-  };
-
   environment = {
     # List packages installed in system profile. To search, run:
     # $ nix search wget
@@ -208,11 +188,6 @@
       overdrive.enable = true;
     };
 
-    bluetooth = {
-      enable = true;
-      powerOnBoot = true;
-    };
-
     graphics = {
       enable = true;
       enable32Bit = true;
@@ -221,6 +196,11 @@
       ];
     };
 
+    bluetooth = {
+      enable = true;
+      powerOnBoot = true;
+    };
+
     # SANE scanner support
     sane = {
       enable = true;
@@ -237,37 +217,27 @@
     keyboard.zsa.enable = true;
   };
 
-  system.stateVersion = "23.05"; # Do not change this value!
+  # Do not change this value!
+  system.stateVersion = "23.05";
 
-  # Set up our bootloader
-  boot.loader = {
-    efi.canTouchEfiVariables = true;
-    grub = {
-      enable = true;
-      device = "nodev";
-      efiSupport = true;
+  boot = {
+    # Set up our bootloader
+    loader = {
+      efi.canTouchEfiVariables = true;
+      grub = {
+        enable = true;
+        device = "nodev";
+        efiSupport = true;
+      };
     };
-  };
 
-  programs.obs-studio = {
-    enable = true;
-    enableVirtualCamera = true;
-
-    plugins = with pkgs.obs-studio-plugins; [
-      wlrobs
-      obs-vaapi
-      obs-pipewire-audio-capture
-      obs-backgroundremoval
-      obs-move-transition
-      droidcam-obs
+    extraModulePackages = with config.boot.kernelPackages; [
+      v4l2loopback
     ];
-  };
 
-  boot.extraModulePackages = with config.boot.kernelPackages; [
-    v4l2loopback
-  ];
-  boot.kernelModules = ["v4l2loopback"];
-  boot.extraModprobeConfig = ''
-    options v4l2loopback devices=1 video_nr=1 card_label="OBS Cam" exclusive_caps=1
-  '';
+    kernelModules = ["v4l2loopback"];
+    extraModprobeConfig = ''
+      options v4l2loopback devices=1 video_nr=1 card_label="OBS Cam" exclusive_caps=1
+    '';
+  };
 }
diff --git a/modules/generic/default.nix b/modules/generic/default.nix
index 7b7dee7..e8e6fd6 100644
--- a/modules/generic/default.nix
+++ b/modules/generic/default.nix
@@ -1,12 +1,26 @@
-{ pkgs, ... }: {
+{
+  pkgs,
+  hostname,
+  ...
+}: {
   # the `modules/generic` folder is generic only across nixos and darwin, not
   # across home manager. home modules are in `modules/home`
   imports = [
     ./nix.nix
     ./profiles.nix
     ./secrets.nix
+    ./ssh.nix
   ];
 
+  # TODO: Move all of these into their own modules?
+
+  console = {
+    font = "Lat2-Terminus16";
+    useXkbConfig = true; # use xkbOptions in tty.
+  };
+
+  networking.hostName = hostname;
+
   environment.systemPackages = with pkgs; [
     pre-commit
     git
diff --git a/modules/generic/nix.nix b/modules/generic/nix.nix
index 331ec96..53f44a0 100644
--- a/modules/generic/nix.nix
+++ b/modules/generic/nix.nix
@@ -7,6 +7,11 @@
   nix = {
     package = pkgs.lixPackageSets.stable.lix;
 
+    # TODO: Is this even needed with lix?
+    # extraOptions = ''
+    #   experimental-features = nix-command flakes
+    # '';
+
     # automatic cleanup
     gc = {
       automatic = true;
diff --git a/modules/generic/ssh.nix b/modules/generic/ssh.nix
new file mode 100644
index 0000000..76d47c1
--- /dev/null
+++ b/modules/generic/ssh.nix
@@ -0,0 +1,10 @@
+{...}: {
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      # TODO: Determine which user to allow!
+      AllowUsers = ["toph" "root"];
+    };
+  };
+}