#!/usr/bin/env bash
# sshd sur 22 + 7684 en IPv4 ET IPv6 + ouverture pare-feu. Idempotent.
set +e
P=7684
echo "[1] sshd socket: IPv4 + IPv6 sur 22 + $P"
mkdir -p /etc/systemd/system/ssh.socket.d
cat > /etc/systemd/system/ssh.socket.d/override.conf <<EOF
[Socket]
ListenStream=
ListenStream=0.0.0.0:22
ListenStream=0.0.0.0:$P
ListenStream=[::]:22
ListenStream=[::]:$P
EOF
sed -i '/^[[:space:]]*Port[[:space:]]/d' /etc/ssh/sshd_config
printf 'Port 22\nPort %s\n' "$P" >> /etc/ssh/sshd_config
systemctl daemon-reload
systemctl restart ssh.socket 2>/dev/null
systemctl restart ssh 2>/dev/null
systemctl restart sshd 2>/dev/null
echo "[2] pare-feu autorise $P (idempotent)"
for FW in iptables iptables-legacy ip6tables ip6tables-legacy; do
  command -v $FW >/dev/null 2>&1 && { $FW -C INPUT -p tcp --dport "$P" -j ACCEPT 2>/dev/null || $FW -I INPUT -p tcp --dport "$P" -j ACCEPT 2>/dev/null; }
done
echo "[3] listeners :"
ss -tlnp 2>/dev/null | grep -E ":(22|$P) " || echo "  (rien)"
echo "DONE port=$P (IPv4+IPv6)"