Support LAN deployment and managed Python runtime

Made-with: Cursor

ansible/roles/terminal/tasks/main.yml

@@ -46,6 +46,25 @@
     enabled: true
   when: ansible_service_mgr == "systemd"
 
+- name: Check systemd sshd listener policy
+  become: true
+  command: ss -ltn
+  register: courseware_terminal_systemd_ss_listeners
+  changed_when: false
+  when: ansible_service_mgr == "systemd"
+
+- name: Restart sshd with systemd when listener policy is not active
+  become: true
+  systemd:
+    name: ssh
+    state: restarted
+    enabled: true
+  when:
+    - ansible_service_mgr == "systemd"
+    - >-
+      '0.0.0.0:22' not in courseware_terminal_systemd_ss_listeners.stdout
+      or '[::]:22' in courseware_terminal_systemd_ss_listeners.stdout
+
 - name: Check for running sshd when systemd is unavailable
   become: true
   command: pgrep -x sshd
@@ -89,19 +108,18 @@
   environment:
     PATH: "{{ courseware_node_runtime_bin_dir }}:{{ ansible_env.PATH }}"
 
-- name: Check loopback sshd listener
+- name: Check sshd listener
   become: true
   command: ss -ltn
   register: courseware_terminal_ss_listeners
   changed_when: false
 
-- name: Assert sshd is loopback-only
+- name: Assert sshd accepts LAN and loopback clients
   assert:
     that:
-      - "'127.0.0.1:22' in courseware_terminal_ss_listeners.stdout"
-      - "'0.0.0.0:22' not in courseware_terminal_ss_listeners.stdout"
+      - "'0.0.0.0:22' in courseware_terminal_ss_listeners.stdout"
       - "'[::]:22' not in courseware_terminal_ss_listeners.stdout"
-    fail_msg: "sshd must listen only on 127.0.0.1:22 for the browser terminal deployment."
+    fail_msg: "sshd must listen on 0.0.0.0:22 so VPN/LAN SSH clients and local WeTTY can connect."
 
 - name: Assert WeTTY binary exists
   stat:

ansible/roles/terminal/templates/sshd-courseware-terminal.conf.j2

@@ -1,5 +1,5 @@
 # Managed by Local Courseware Deployment.
-ListenAddress 127.0.0.1
+ListenAddress 0.0.0.0
 AddressFamily inet
 PermitRootLogin no
 PasswordAuthentication yes