From 94d94fb7a2f8d95cc472b2a5c10ac58c86eb9e20 Mon Sep 17 00:00:00 2001
From: naturallaw77 <advbuwxeew@use.startmail.com>
Date: Mon, 6 Apr 2026 18:40:17 -0500
Subject: [PATCH] fixed ssh at first boot

---
 modules/core/sshd-localhost.nix | 21 +++++++++++++++++++++
 modules/modules.nix             |  3 ++-
 modules/sshd.nix                | 15 ++++++---------
 3 files changed, 29 insertions(+), 10 deletions(-)
 create mode 100644 modules/core/sshd-localhost.nix

diff --git a/modules/core/sshd-localhost.nix b/modules/core/sshd-localhost.nix
new file mode 100644
index 0000000..76be80f
--- /dev/null
+++ b/modules/core/sshd-localhost.nix
@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # ── Always-on localhost SSH ────────────────────────────────────
+  # Provides "ssh root@localhost" for local root access and Hub
+  # operations. Binds exclusively to 127.0.0.1 — zero network exposure.
+  # The sshd *feature flag* in sshd.nix extends this to 0.0.0.0 and
+  # opens port 22 on the firewall when the user enables remote SSH.
+
+  services.openssh = {
+    enable = true;
+    listenAddresses = lib.mkDefault [
+      { addr = "127.0.0.1"; port = 22; }
+    ];
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "yes";
+    };
+  };
+}
\ No newline at end of file
diff --git a/modules/modules.nix b/modules/modules.nix
index ac31c7d..cf9e7de 100755
--- a/modules/modules.nix
+++ b/modules/modules.nix
@@ -10,6 +10,7 @@
     ./core/ssh-bootstrap.nix
     ./core/tech-support.nix
     ./core/sovran_systemsos-desktop.nix
+    ./core/sshd-localhost.nix
     ./core/sovran-hub.nix
 
     # ── Always on (no flag) ───────────────────────────────────
@@ -33,4 +34,4 @@
     ./rdp.nix
     ./sshd.nix
   ];
-}
\ No newline at end of file
+}
diff --git a/modules/sshd.nix b/modules/sshd.nix
index a4665ad..a65ac8c 100644
--- a/modules/sshd.nix
+++ b/modules/sshd.nix
@@ -2,14 +2,11 @@
 
 lib.mkIf config.sovran_systemsOS.features.sshd {
 
-  services.openssh = {
-    enable = true;
-    settings = {
-      PasswordAuthentication = false;
-      KbdInteractiveAuthentication = false;
-      PermitRootLogin = "yes";
-    };
-  };
+  # Extend to listen on all interfaces for remote access
+  services.openssh.listenAddresses = lib.mkForce [
+    { addr = "127.0.0.1"; port = 22; }
+    { addr = "0.0.0.0"; port = 22; }
+  ];
 
   # Only open port 22 when SSH is actually enabled
   networking.firewall.allowedTCPPorts = [ 22 ];
@@ -20,4 +17,4 @@ lib.mkIf config.sovran_systemsOS.features.sshd {
     ignoreIP = [ "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ];
   };
 
-}
+}
\ No newline at end of file