From fa55edf0de1410c653fa809c4e988c93977ab5b3 Mon Sep 17 00:00:00 2001
From: Daniel Lundin <dln@arity.se>
Date: Sun, 17 Nov 2024 20:45:09 +0100
Subject: [PATCH] chore: remove openssh for now

---
 flake.nix                   |  1 -
 modules/image/builder.nix   |  3 ---
 modules/image/default.nix   |  9 ---------
 modules/image/ssh.nix       | 40 -------------------------------------
 modules/profiles/base.nix   |  3 ---
 modules/profiles/devel.nix  | 10 ----------
 modules/profiles/server.nix |  1 -
 pkgs/openssh.nix            |  7 -------
 tests/ssh-preseed.nix       | 37 ----------------------------------
 9 files changed, 111 deletions(-)
 delete mode 100644 modules/image/ssh.nix
 delete mode 100644 pkgs/openssh.nix
 delete mode 100644 tests/ssh-preseed.nix

diff --git a/flake.nix b/flake.nix
index 6043897..d82cc3a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -74,7 +74,6 @@
       };
 
       checks.${system} = {
-        ssh-preseed = import ./tests/ssh-preseed.nix { inherit pkgs self; };
         podman = import ./tests/podman.nix { inherit pkgs self; };
         system-update = import ./tests/system-update.nix { inherit pkgs self; };
       };
diff --git a/modules/image/builder.nix b/modules/image/builder.nix
index ba3329c..4d7a94b 100644
--- a/modules/image/builder.nix
+++ b/modules/image/builder.nix
@@ -76,9 +76,6 @@ let
       contents = {
         "/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source = "${pkgs.systemdUkify}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
         "/EFI/Linux/${config.system.boot.loader.ukiFile}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
-        "/default-ssh-authorized-keys.txt" = lib.mkIf config.system.image.sshKeys.enable {
-          source = pkgs.writeText "ssh-keys" (lib.concatStringsSep "\n" config.system.image.sshKeys.keys);
-        };
       };
       repartConfig = {
         Type = "esp";
diff --git a/modules/image/default.nix b/modules/image/default.nix
index aea2484..dc705e9 100644
--- a/modules/image/default.nix
+++ b/modules/image/default.nix
@@ -8,7 +8,6 @@
 
   imports = [
     ./updater.nix
-    ./ssh.nix
     ./builder.nix
     ./veritysetup.nix
   ];
@@ -127,14 +126,6 @@
     "nls_iso8859-1"
   ];
 
-  # Store SSH host keys on /var/lib/ssh since /etc is read-only
-  services.openssh.hostKeys = [
-    {
-      path = "/var/lib/ssh/ssh_host_ed25519_key";
-      type = "ed25519";
-    }
-  ];
-
   environment.etc."machine-id" = {
     text = "";
     mode = "0755";
diff --git a/modules/image/ssh.nix b/modules/image/ssh.nix
deleted file mode 100644
index 5e7612a..0000000
--- a/modules/image/ssh.nix
+++ /dev/null
@@ -1,40 +0,0 @@
-{ config, lib, ... }:
-{
-  options.system.image.sshKeys = {
-    enable = lib.mkEnableOption "provisioning of default SSH keys from ESP";
-    keys = lib.mkOption {
-      type = lib.types.listOf lib.types.singleLineStr;
-      default = [ ];
-    };
-  };
-
-  config = lib.mkIf config.system.image.sshKeys.enable {
-
-    assertions = [
-      {
-        assertion = config.services.openssh.enable;
-        message = "OpenSSH must be enabled to preseed authorized keys";
-      }
-    ];
-
-    systemd.services."default-ssh-keys" = {
-      script = ''
-        mkdir -p /var/home/admin/.ssh/
-        cat /efi/default-ssh-authorized-keys.txt >> /var/home/admin/.ssh/authorized_keys
-      '';
-      wantedBy = [
-        "sshd.service"
-        "sshd.socket"
-      ];
-      unitConfig = {
-        ConditionPathExists = [
-          "/var/home/admin"
-          "!/var/home/admin/.ssh/authorized_keys"
-          "/efi/default-ssh-authorized-keys.txt"
-        ];
-      };
-    };
-
-  };
-
-}
diff --git a/modules/profiles/base.nix b/modules/profiles/base.nix
index 521ae9f..419c55d 100644
--- a/modules/profiles/base.nix
+++ b/modules/profiles/base.nix
@@ -45,9 +45,6 @@
   # FIXME: fstrim should only be enabled for virtual machine images?
   services.fstrim.enable = true;
 
-
-  services.openssh.settings.PasswordAuthentication = lib.mkDefault false;
-
   users.allowNoPasswordLogin = true;
   users.users.root.home = lib.mkForce "/";
 
diff --git a/modules/profiles/devel.nix b/modules/profiles/devel.nix
index 3c04d04..011f773 100644
--- a/modules/profiles/devel.nix
+++ b/modules/profiles/devel.nix
@@ -36,14 +36,4 @@
   };
 
   services.getty.autologinUser = "admin";
-
-  services.openssh.enable = true;
-  system.image.sshKeys.enable = true;
-  system.image.sshKeys.keys = [
-    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIHMAEZx02kbHrEygyPQYStiXlrIe6EIqBCv7anIkL0pAAAABHNzaDo= dln1"
-    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJNOBFoU7Cdsgi4KpYRcv7EhR/8kD4DYjEZnwk6urRx7AAAABHNzaDo= dln2"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKDx+7ZEJi7lUCAtoHRRIduJzH3hrpx4YS1f0ZxrJ+uW dln3"
-    "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBLpoKvsZDIQQLfgzJhe1jAQubBNxjydkj8UfdUPaSXqgfB02OypMOC1m5ZuJYcQIxox0I+4Z8xstFhYP6s8zKZwAAAAEc3NoOg== lsjostro1"
-    "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBJ10mLOpInoqDaySyrxbzvcOrJfLw48Y6eWHa9501lw+hEEBXya3ib7nlvpCqEQJ8aPU5fVRqpkOW5zSimCiRbwAAAAEc3NoOg== lsjostro2"
-  ];
 }
diff --git a/modules/profiles/server.nix b/modules/profiles/server.nix
index b17f264..830762e 100644
--- a/modules/profiles/server.nix
+++ b/modules/profiles/server.nix
@@ -14,6 +14,5 @@
     "quiet"
   ];
 
-
   virtualisation.podman.enable = true;
 }
diff --git a/pkgs/openssh.nix b/pkgs/openssh.nix
deleted file mode 100644
index 91de381..0000000
--- a/pkgs/openssh.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ prev, ... }:
-
-prev.openssh.overrideAttrs (final: prev: {
-  doCheck = false;
-  doInstallCheck = false;
-  dontCheck = true;
-})
diff --git a/tests/ssh-preseed.nix b/tests/ssh-preseed.nix
deleted file mode 100644
index 0d5baa1..0000000
--- a/tests/ssh-preseed.nix
+++ /dev/null
@@ -1,37 +0,0 @@
-{ pkgs, self }:
-let
-  lib = pkgs.lib;
-  test-common = import ./common.nix { inherit self lib pkgs; };
-  sshKeys = import (pkgs.path + "/nixos/tests/ssh-keys.nix") pkgs;
-
-  image = test-common.makeImage {
-    system.image.sshKeys.keys = [ sshKeys.snakeOilPublicKey ];
-    system.extraDependencies = [ sshKeys.snakeOilPrivateKey ];
-  };
-
-in
-test-common.makeImageTest {
-  name = "ssh-preseed";
-  inherit image;
-  script = ''
-    start_tpm()
-    machine.start()
-
-    machine.wait_for_unit("multi-user.target")
-
-    machine.succeed("[ -e /efi/default-ssh-authorized-keys.txt ]")
-    machine.succeed("[ -e /var/home/admin/.ssh/authorized_keys ]")
-
-    machine.wait_for_open_port(22)
-
-    machine.succeed(
-        "cat ${sshKeys.snakeOilPrivateKey} > privkey.snakeoil"
-    )
-    machine.succeed("chmod 600 privkey.snakeoil")
-
-    machine.succeed(
-      "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil admin@127.0.0.1 true",
-      timeout=30
-    )
-  '';
-}