From 259de683be2e7de7d52854680608299c870a6a2c Mon Sep 17 00:00:00 2001
From: Seongmin Lee <git@boltless.me>
Date: Fri, 24 Oct 2025 03:05:04 +0900
Subject: [PATCH] nix/modules/knot: make ssh ports configurable
Change-Id: qrzyzsxkvpwtzkpxuyuposrkwpuntzsu

Close: #269
Signed-off-by: Seongmin Lee <git@boltless.me>
---
 nix/modules/knot.nix | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/nix/modules/knot.nix b/nix/modules/knot.nix
index dabbd396..d3e5a079 100644
--- a/nix/modules/knot.nix
+++ b/nix/modules/knot.nix
@@ -32,10 +32,16 @@ in
           description = "User that hosts git repos and performs git operations";
         };
 
+        sshPorts = mkOption {
+          type = types.listOf types.port;
+          default = [22];
+          description = "Specifies ports used for ssh";
+        };
+
         openFirewall = mkOption {
           type = types.bool;
           default = true;
-          description = "Open port 22 in the firewall for ssh";
+          description = "Open ssh port in the firewall";
         };
 
         stateDir = mkOption {
@@ -138,6 +144,7 @@ in
 
       services.openssh = {
         enable = true;
+        ports = cfg.sshPorts;
         extraConfig = ''
           Match User ${cfg.gitUser}
               AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper
@@ -206,6 +213,6 @@ in
         };
       };
 
-      networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [22];
+      networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall cfg.sshPorts;
     };
   }
-- 
2.43.0