From e86b2f184fc424c33fbebab7479637b49120009a Mon Sep 17 00:00:00 2001
From: Noah Masur <7386960+nmasur@users.noreply.github.com>
Date: Wed, 12 Jul 2023 23:33:35 -0400
Subject: [PATCH] fix: cloudflare tunnel on tempest

requires openssh, but removing public key
---
 hosts/flame/default.nix         | 1 +
 hosts/swan/default.nix          | 1 +
 hosts/tempest/default.nix       | 1 +
 modules/nixos/services/sshd.nix | 5 ++---
 4 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/hosts/flame/default.nix b/hosts/flame/default.nix
index b2dae92..93fe988 100644
--- a/hosts/flame/default.nix
+++ b/hosts/flame/default.nix
@@ -49,6 +49,7 @@ inputs.nixpkgs.lib.nixosSystem {
 
       services.caddy.enable = true;
       services.grafana.enable = true;
+      services.openssh.enable = true;
       services.prometheus.enable = true;
       services.gitea.enable = true;
       services.vaultwarden.enable = true;
diff --git a/hosts/swan/default.nix b/hosts/swan/default.nix
index ef52312..2abdd6c 100644
--- a/hosts/swan/default.nix
+++ b/hosts/swan/default.nix
@@ -56,6 +56,7 @@ inputs.nixpkgs.lib.nixosSystem {
       services.jellyfin.enable = true;
       services.nextcloud.enable = true;
       services.calibre-web.enable = true;
+      services.openssh.enable = true;
       services.prometheus.enable = true;
       services.samba.enable = true;
 
diff --git a/hosts/tempest/default.nix b/hosts/tempest/default.nix
index a6a4f33..466eba6 100644
--- a/hosts/tempest/default.nix
+++ b/hosts/tempest/default.nix
@@ -92,6 +92,7 @@ inputs.nixpkgs.lib.nixosSystem {
         ryujinx.enable = true;
       };
 
+      services.openssh.enable = true; # Required for Cloudflare tunnel
       cloudflareTunnel = {
         enable = true;
         id = "ac133a82-31fb-480c-942a-cdbcd4c58173";
diff --git a/modules/nixos/services/sshd.nix b/modules/nixos/services/sshd.nix
index 8cb3370..a160baa 100644
--- a/modules/nixos/services/sshd.nix
+++ b/modules/nixos/services/sshd.nix
@@ -13,9 +13,8 @@
     };
   };
 
-  config = lib.mkIf (config.publicKey != null) {
+  config = lib.mkIf config.services.openssh.enable {
     services.openssh = {
-      enable = true;
       ports = [ 22 ];
       allowSFTP = true;
       settings = {
@@ -27,7 +26,7 @@
     };
 
     users.users.${config.user}.openssh.authorizedKeys.keys =
-      [ config.publicKey ];
+      lib.mkIf (config.publicKey != null) [ config.publicKey ];
 
     # Implement a simple fail2ban service for sshd
     services.sshguard.enable = true;