fixed ssh at first boot

modules/core/sshd-localhost.nix

@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # ── Always-on localhost SSH ────────────────────────────────────
+  # Provides "ssh root@localhost" for local root access and Hub
+  # operations. Binds exclusively to 127.0.0.1 — zero network exposure.
+  # The sshd *feature flag* in sshd.nix extends this to 0.0.0.0 and
+  # opens port 22 on the firewall when the user enables remote SSH.
+
+  services.openssh = {
+    enable = true;
+    listenAddresses = lib.mkDefault [
+      { addr = "127.0.0.1"; port = 22; }
+    ];
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "yes";
+    };
+  };
+}

modules/modules.nix

@@ -10,6 +10,7 @@
     ./core/ssh-bootstrap.nix
     ./core/tech-support.nix
     ./core/sovran_systemsos-desktop.nix
+    ./core/sshd-localhost.nix
     ./core/sovran-hub.nix
 
     # ── Always on (no flag) ───────────────────────────────────
@@ -33,4 +34,4 @@
     ./rdp.nix
     ./sshd.nix
   ];
-}
+}

modules/sshd.nix

@@ -2,14 +2,11 @@
 
 lib.mkIf config.sovran_systemsOS.features.sshd {
 
-  services.openssh = {
+  # Extend to listen on all interfaces for remote access
-    enable = true;
+  services.openssh.listenAddresses = lib.mkForce [
-    settings = {
+    { addr = "127.0.0.1"; port = 22; }
-      PasswordAuthentication = false;
+    { addr = "0.0.0.0"; port = 22; }
-      KbdInteractiveAuthentication = false;
+  ];
-      PermitRootLogin = "yes";
-    };
-  };
 
   # Only open port 22 when SSH is actually enabled
   networking.firewall.allowedTCPPorts = [ 22 ];
@@ -20,4 +17,4 @@ lib.mkIf config.sovran_systemsOS.features.sshd {
     ignoreIP = [ "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ];
   };
 
-}
+}