feat: move sshd into its own Nix feature module, gate Tech Support behind it

Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/d45dc36f-0b3b-48bb-950f-700afe45dd06

Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>

modules/core/roles.nix

@@ -48,6 +48,7 @@
       element-calling = lib.mkEnableOption "Element Video and Audio Calling";
       bitcoin-core = lib.mkEnableOption "Bitcoin Core";
       rdp = lib.mkEnableOption "Gnome Remote Desktop";
+      sshd = lib.mkEnableOption "SSH remote access";
     };
 
     # ── Web exposure (controls Caddy vhosts) ──────────────────

modules/modules.nix

@@ -32,5 +32,6 @@
     ./mempool.nix
     ./bitcoin-core.nix
     ./rdp.nix
+    ./sshd.nix
   ];
 }

modules/sshd.nix

@@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+
+lib.mkIf config.sovran_systemsOS.features.sshd {
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "yes";
+    };
+  };
+
+  # Only open port 22 when SSH is actually enabled
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
+  # Fail2Ban protects SSH when it's active
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [ "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ];
+  };
+
+}