From 429efc52aef0066f5e382e24465f0850a0c17fd6 Mon Sep 17 00:00:00 2001
From: Filippo Berto <berto.f@protonmail.com>
Date: Sun, 18 Dec 2022 19:02:50 +0100
Subject: [PATCH] Remote deployment configuration

---
 flake.nix                       | 27 ++++++++++++++++++++++++---
 loki/configuration.nix          |  2 +-
 nixos_modules/remote-deploy.nix | 10 ++++++++++
 thor/configuration.nix          |  2 --
 4 files changed, 35 insertions(+), 6 deletions(-)
 create mode 100644 nixos_modules/remote-deploy.nix

diff --git a/flake.nix b/flake.nix
index 2e5de58..8e63db4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -119,6 +119,7 @@
 
         ./nixos_modules/bertof_user.nix
         ./nixos_modules/distributed.nix
+        ./nixos_modules/remote-deploy.nix
         ./nixos_modules/extended_registry.nix
         ./nixos_modules/automatic-garbage-collection.nix
         ./nixos_modules/automatic-upgrade.nix
@@ -251,20 +252,40 @@
         };
       };
 
-      images = with flake-utils.lib; eachSystem [ system.x86_64-linux system.aarch64-linux ] (system:
+      images = with flake-utils.lib; let
+        installerModules = [
+          # Nix configuration
+          {
+            nixpkgs = { inherit overlays config; };
+            nix = {
+              extraOptions = "experimental-features = nix-command flakes";
+              registry = {
+                stable = { from = { id = "stable"; type = "indirect"; }; flake = nixpkgs; };
+                unstable = { from = { id = "unstable"; type = "indirect"; }; flake = nixpkgs-u; };
+              };
+            };
+          }
+
+          ./nixos_modules/bertof_user.nix
+          ./nixos_modules/distributed.nix
+          ./nixos_modules/extended_registry.nix
+          ./nixos_modules/zerotier.nix
+        ];
+      in
+      eachSystem [ system.x86_64-linux system.aarch64-linux ] (system:
         {
           packages = {
             # Installer ISO
             install-iso = nixos-generators.nixosGenerate {
               inherit system;
-              modules = commonModules ++ [ ./nixos_modules/installer.nix ];
+              modules = installerModules ++ [ ./nixos_modules/installer.nix ];
               format = "install-iso";
             };
 
             # Installer DigitalOcean
             do = nixos-generators.nixosGenerate {
               inherit system;
-              modules = commonModules ++ [ ./nixos_modules/installer.nix ];
+              modules = installerModules ++ [ ./nixos_modules/installer.nix ];
               format = "do";
             };
           };
diff --git a/loki/configuration.nix b/loki/configuration.nix
index 7f529ce..610d32a 100644
--- a/loki/configuration.nix
+++ b/loki/configuration.nix
@@ -106,7 +106,7 @@ with lib; {
     openssh = {
       enable = true;
       openFirewall = true;
-      permitRootLogin = "no";
+      # permitRootLogin = "no";
       passwordAuthentication = false;
     };
     # plex = { enable = true; openFirewall = true; group = "users"; };
diff --git a/nixos_modules/remote-deploy.nix b/nixos_modules/remote-deploy.nix
new file mode 100644
index 0000000..f57e5eb
--- /dev/null
+++ b/nixos_modules/remote-deploy.nix
@@ -0,0 +1,10 @@
+{
+  services.openssh = {
+    enable = true;
+    openFirewall = true;
+
+    permitRootLogin = "prohibit-password";
+    passwordAuthentication = false;
+    kbdInteractiveAuthentication = false;
+  };
+}
diff --git a/thor/configuration.nix b/thor/configuration.nix
index 76033d9..9454640 100644
--- a/thor/configuration.nix
+++ b/thor/configuration.nix
@@ -128,8 +128,6 @@ with lib; {
     openssh = {
       enable = true;
       openFirewall = true;
-      permitRootLogin = "no";
-      passwordAuthentication = false;
       forwardX11 = true;
     };
     pipewire = {