feat(exports): sshd service

modules/system/exports/sshd.nix

@@ -0,0 +1,41 @@
+{lib, gensokyo-zone, ...}: let
+  inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
+  inherit (lib.modules) mkIf;
+  inherit (lib.attrsets) mapAttrs filterAttrs mapAttrsToList;
+  inherit (lib.lists) sort;
+in {
+  config.exports.services.sshd = { config, ... }: let
+    mkAssertion = f: nixosConfig: let
+      cfg = nixosConfig.services.openssh;
+    in f nixosConfig cfg;
+    sorted = sort (a: b: a > b);
+    assertPorts = nixosConfig: cfg: let
+      nixosPorts = cfg.ports;
+      enabledPorts = filterAttrs (_: port: port.enable) config.ports;
+      servicePorts = mapAttrsToList (_: port: port.port) enabledPorts;
+    in {
+      assertion = sorted nixosPorts == sorted servicePorts;
+      message = "port mismatch: ${toString nixosPorts} != ${toString servicePorts}";
+    };
+  in {
+    id = mkAlmostOptionDefault "ssh";
+    nixos = {
+      serviceAttr = "openssh";
+      assertions = mkIf config.enable [
+        (mkAssertion assertPorts)
+      ];
+    };
+    defaults.port.listen = mkAlmostOptionDefault "wan";
+    ports = mapAttrs (_: mapAlmostOptionDefaults) {
+      public = {
+        port = 62954;
+        transport = "tcp";
+      };
+      standard = {
+        port = 22;
+        transport = "tcp";
+        listen = "lan";
+      };
+    };
+  };
+}

systems/aya/default.nix

@@ -9,6 +9,7 @@ _: {
   ];
   exports = {
     services = {
+      sshd.enable = true;
       tailscale.enable = true;
     };
   };

systems/ct/default.nix

@@ -11,4 +11,9 @@ _: {
       address6 = null;
     };
   };
+  exports = {
+    services = {
+      sshd.enable = true;
+    };
+  };
 }

systems/freeipa/default.nix

@@ -32,6 +32,10 @@ _: {
   };
   exports = {
     services = {
+      sshd = {
+        enable = true;
+        ports.public.enable = false;
+      };
       freeipa.enable = true;
       ldap.enable = true;
       kerberos.enable = true;

systems/freepbx/default.nix

@@ -16,6 +16,10 @@ _: {
   };
   exports = {
     services = {
+      sshd = {
+        enable = true;
+        ports.public.enable = false;
+      };
       freepbx.enable = true;
     };
   };

systems/hakurei/default.nix

@@ -24,6 +24,14 @@ _: {
         enable = true;
         id = "login.local";
       };
+      sshd = {
+        enable = true;
+        ports.global = {
+          port = 41022;
+          transport = "tcp";
+          listen = "wan";
+        };
+      };
     };
     exports = {
       plex.enable = true;

systems/keycloak/default.nix

@@ -9,6 +9,7 @@ _: {
   ];
   exports = {
     services = {
+      sshd.enable = true;
       keycloak.enable = true;
       vouch-proxy.enable = true;
     };

systems/kitchencam/default.nix

@@ -17,6 +17,10 @@ _: {
   };
   exports = {
     services = {
+      sshd = {
+        enable = true;
+        ports.public.enable = false;
+      };
       motion = {
         id = "kitchen";
         enable = true;

systems/kuwubernetes/default.nix

@@ -19,4 +19,9 @@ _: {
       };
     };
   };
+  exports = {
+    services = {
+      sshd.enable = true;
+    };
+  };
 }

systems/litterbox/default.nix

@@ -9,6 +9,7 @@ _: {
   ];
   exports = {
     services = {
+      sshd.enable = true;
       tailscale.enable = true;
     };
   };

systems/mediabox/default.nix

@@ -9,6 +9,7 @@ _: {
   ];
   exports = {
     services = {
+      sshd.enable = true;
       plex.enable = true;
       invidious.enable = true;
     };

systems/reimu/default.nix

@@ -9,6 +9,7 @@ _: {
   ];
   exports = {
     services = {
+      sshd.enable = true;
       tailscale.enable = true;
       nfs.enable = true;
     };

systems/tei/default.nix

@@ -9,6 +9,7 @@ _: {
   ];
   exports = {
     services = {
+      sshd.enable = true;
       tailscale.enable = true;
       home-assistant.enable = true;
       zigbee2mqtt.enable = true;

systems/utsuho/default.nix

@@ -9,6 +9,7 @@ _: {
   ];
   exports = {
     services = {
+      sshd.enable = true;
       unifi.enable = true;
       mosquitto.enable = true;
       dnsmasq.enable = true;