feat: add initial config

services/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./openssh.nix
+    ./nginx.nix
+  ];
+}

services/nginx.nix

@@ -0,0 +1,25 @@
+{ config, lib, ... }:
+let
+  serviceConfig = import ../config/services.nix;
+  nginxModel = import ../intermediate/nginx.nix;
+in
+{
+  assertions = [
+    {
+      assertion = nginxModel.validatedEndpoints != [];
+      message = "No endpoints configured. Add endpoint declarations under config/endpoints/.";
+    }
+  ];
+
+  services.nginx = {
+    enable = serviceConfig.nginx.enable;
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    streamConfig = nginxModel.streamConfig;
+  };
+
+  networking.firewall.allowedTCPPorts = nginxModel.nginxUsedPorts;
+}

services/openssh.nix

@@ -0,0 +1,32 @@
+{ ... }:
+let
+  lib = import <nixpkgs/lib>;
+  opensshConfig = import ../config/openssh.nix;
+
+  userExtraConfig =
+    if opensshConfig ? extraConfig && opensshConfig.extraConfig ? users && builtins.isAttrs opensshConfig.extraConfig.users then
+      opensshConfig.extraConfig.users
+    else
+      {};
+
+  renderedUserMatches = lib.concatStringsSep "\n" (
+    lib.mapAttrsToList (user: cfg: ''
+      Match User ${user}
+${cfg}
+    '') userExtraConfig
+  );
+in
+{
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = true;
+      PermitRootLogin = "no";
+      GatewayPorts = "no";
+      AllowUsers = opensshConfig.ssh_users;
+    };
+    extraConfig = renderedUserMatches;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 22 ];
+}