feat: add engine surface for daemon — listen port, peer SSH host keys, re_stun

[GeiserX]

What

Three small, additive engine-API surfaces the downstream daemon needs (its ENGINE_ASKS.md #22, #23, #26). Each unblocks a daemon CLI feature on a pin bump. Behaviorally faithful to Go tsnet/tailscaled.

#23 — StatusNode.ssh_host_keys (Go ipnstate.PeerStatus.SSH_HostKeys)

The wire HostInfo.ssh_host_keys already existed but wasn't projected. Now the domain Node carries ssh_host_keys: Vec<String> (populated in the wire→domain conversion from HostInfo.sshHostKeys), and StatusNode surfaces it. Pure read-projection. Lets the daemon write a known_hosts from the netmap for tnet ssh (pinned host-key verification, no TOFU).

#26 — Device::re_stun() (Go magicsock.Conn.ReSTUN)

Forces an immediate STUN re-probe / endpoint re-derivation without tearing down sockets — the lighter sibling of rebind(). Reuses the STUN-sweep machinery (probe_stun_servers_once, gated by stun_probe_should_run); no socket swap, no control round-trip; clean no-op when DERP-only. For tnet debug restun.

#22 — Config.wireguard_listen_port: Option<u16> (Go tailscaled --port)

Pins the UDP port magicsock binds for WireGuard + disco. None = ephemeral (unchanged default behavior, = Go's port 0); Some(p) binds p for fixed-firewall-pinhole deployments. Threaded Config → ts_control::Config → Env → bind_underlay_addr (the single initial-bind site). A taken pinned port falls back to ephemeral (never hard-fails bring-up — mirrors rebind_socket's fallback). The bind family is unchanged (IPv4-only default + fail-closed posture untouched — only the port is configurable). A later rebind() keeps the pinned port automatically (it already prefers the current local port).

Tests

Wire→domain→status ssh_host_keys projection (present + absent); re_stun peer-gate + DERP-only no-op; bind_underlay_addr pins a free port and falls back to ephemeral when taken; wireguard_listen_port threads Config → Env and crosses From<&Config>; default is None.

Gates (local, all green — re-verified after rebasing onto current main)

cargo test -p geiserx_ts_control -p geiserx_ts_runtime -p geiserx_tailscale (248 + 354 + 24) · clippy -D warnings (3 crates + tun lane) · cargo fmt --check · cargo doc (broken_intra_doc_links=deny) · cargo run -p checks.

First batch of the daemon engine-asks. After this lands + a release, the daemon enables these via a pin bump: tnet ssh (host-key pinning), tnet debug restun, tailnetd --port. (Separately confirmed for the daemon: the identity-federation feature compiles clean on the facade — the 4 WIF flags need only the feature flag on, no engine code.)

Signed-off-by: Sergio sergio@geiser.cloud

Created using Claude Code (Opus 4.8)

[coderabbitai]

Warning

Review limit reached

@GeiserX, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 34 minutes and 22 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3e3f5432-5a51-4488-9459-31da41f0c98d

📥 Commits

Reviewing files that changed from the base of the PR and between c3e27c7 and 1c45704.

📒 Files selected for processing (22)

• src/config.rs
• src/lib.rs
• ts_control/src/config.rs
• ts_control/src/node.rs
• ts_control/src/serve.rs
• ts_control/src/service.rs
• ts_runtime/src/derp_latency.rs
• ts_runtime/src/direct.rs
• ts_runtime/src/env.rs
• ts_runtime/src/forwarder_actor.rs
• ts_runtime/src/ipn_bus.rs
• ts_runtime/src/lib.rs
• ts_runtime/src/magic_dns.rs
• ts_runtime/src/netmon.rs
• ts_runtime/src/netstack_actor.rs
• ts_runtime/src/peer_tracker/mod.rs
• ts_runtime/src/peer_tracker/peer_db.rs
• ts_runtime/src/peerapi.rs
• ts_runtime/src/route_updater.rs
• ts_runtime/src/src_filter.rs
• ts_runtime/src/status.rs
• ts_runtime/src/tun_actor.rs

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/engine-asks-listenport-sshkeys-restun

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}