fix: cloudflare tunnel on tempest

requires openssh, but removing public key

hosts/flame/default.nix

@@ -49,6 +49,7 @@ inputs.nixpkgs.lib.nixosSystem {
 
       services.caddy.enable = true;
       services.grafana.enable = true;
+      services.openssh.enable = true;
       services.prometheus.enable = true;
       services.gitea.enable = true;
       services.vaultwarden.enable = true;

hosts/swan/default.nix

@@ -56,6 +56,7 @@ inputs.nixpkgs.lib.nixosSystem {
       services.jellyfin.enable = true;
       services.nextcloud.enable = true;
       services.calibre-web.enable = true;
+      services.openssh.enable = true;
       services.prometheus.enable = true;
       services.samba.enable = true;
 

hosts/tempest/default.nix

@@ -92,6 +92,7 @@ inputs.nixpkgs.lib.nixosSystem {
         ryujinx.enable = true;
       };
 
+      services.openssh.enable = true; # Required for Cloudflare tunnel
       cloudflareTunnel = {
         enable = true;
         id = "ac133a82-31fb-480c-942a-cdbcd4c58173";

modules/nixos/services/sshd.nix

@@ -13,9 +13,8 @@
     };
   };
 
-  config = lib.mkIf (config.publicKey != null) {
+  config = lib.mkIf config.services.openssh.enable {
     services.openssh = {
-      enable = true;
       ports = [ 22 ];
       allowSFTP = true;
       settings = {
@@ -27,7 +26,7 @@
     };
 
     users.users.${config.user}.openssh.authorizedKeys.keys =
-      [ config.publicKey ];
+      lib.mkIf (config.publicKey != null) [ config.publicKey ];
 
     # Implement a simple fail2ban service for sshd
     services.sshguard.enable = true;