cc me as openssh maintainer
@netixx can you provide more details about your sshd setup? My main questions are if you are using socket activation or not, and what you have configured your listenAddresses as. If we are using socket activation, I believe we shouldn't need this. If not, I believe we still shouldn't need this if binding to a loopback (localhost) address or 0.0.0.0, but I can see this being needed if specific interfaces are configured.
I'll try to do some more research on my end as well.

My setup is the following :

services.openssh.listenAddresses = [
      {
        addr = "X.X.X.X";
        port = 22;
      }
];
networking.interfaces = [
    {
      name = "LAN";
      ip4 = [
        {
          address = "X.X.X.X";
          prefixLength = 24;
        }
      ];
    }
];
networking.useNetworkd = true;

In my setup, X.X.X.X is an ip address assigned either on a bridge or a physical interface.
Im have also configured networking.useNetworkd = true; (which may change when the IP addresses are available for binding). I am not using socket activation.

I agree with your comments on socket activation. Also when I remove the listenAddresses parameters (sshd binds by default to any/0.0.0.0), it was starting as expected. For loopback addresses, I am not familiar with how the 127.0.0.0/8 loopback is brought up on linux (before systemd ?), but for other loopback interface (through this example https://www.aangelis.gr/blog/2016/04/multiple-loopback-ips-in-arch-linux), sshd might try to bind before it is available.

What first struck me as strange is the fact that the after= parameter is set in the current nixos implementation, but the required= or wants= is not set. They say in the manual https://www.freedesktop.org/software/systemd/man/systemd.unit.html that

It is a common pattern to include a unit name in both the After= and Requires= options, in which case the unit listed will be started before the unit that is configured with these options

which is why I added the requires= dependency in my patch but at the same time

After= ensures that the configured unit is started after the listed unit finished starting up

so it seems after should be enough for what we want to do. However (and I just noticed now), the target referenced in the current nixos implementation is network.target, which, according to the systemd manual, is not relevant for IP address binding.

Also, from a theoretical standpoint, we could consider that sshd is useless without network, and so the requires dependency make sense.

If we look at the systemd unit for sshd in ArchLinux, they only included After=network-online.target. I have also read (in not very reliable sources), that good practice is to use After=network.target network-online.target to retain compatibility with older systems (but I think it does not apply to nixos).

I've been testing networkd in the last few weeks and have a problem with this change and the way networkd is currently integrated into NixOS. If general DHCP (networking.useDHCP) is enabled, all interfaces are matched in the main network unit and will be configured with DHCP. If only one interface can't be configured via DHCP network-online.target will never be reached. This is even the case when one interface is configured statically.

I think we should rather fix our networkd integration than adding this change prematurely and thus possibly break sshd for regular networkd users.

EDIT: This is also the case if networkd is not used. If there is no DHCP available even though some interfaces are statically configured => no network-online.target => no sshd.

@fpletz, it's true the the network-online.target can be troublesome, I have experienced failures of the network-online.target (see #30904) which broke my system, but I had to fix it because the other services (say unbound), would also fail. Probably, the dhcp should timeout and the system should always reach the network-online.target (I think this behaviour is already implemented in systemd-networkd) ?

If I understand the manual correctly, the after= wil start the service event if network-online.target fails:

Most importantly, for service units start-up is considered completed for the purpose of Before=/After= when all its configured start-up commands have been invoked and they either failed or reported start-up success.

I propose 3 solutions (assuming the above assumption is correct):

1. Use After=network-online.target. And conditionally change the Requires= dependency: If address binding is configured, then use Requires=network-online.target, else, don't configure the Requires= dependency.
2. Use After=network-online.target. And use the Wants=network-online.target dependency. What this will do is stop sshd if network is stopped, but it will start sshd even if network-online.target fails.
3. Use After=network-online.target, and don't use either Requires= nor Wants=. After discussing this issue, I think this the best option (it seems to be the choice that ArchLinux made, for example).

In the end, I think we need to implement at least one of these options, because, in the current setup, the sshd will fail to start if address binding is configured (which caused me quite a bit of trouble when I upgraded to 17.09 and had to revert to the serial console).

What do you think is the best course of action ?

@GrahamcOfBorg test openssh

I could not access full logs on the x86_64-linux but I assume since the aarch is working (and this change is not a program change) the problem is elsewhere ?

I will close this, since I think using startWhenNeeded and/or firewall rules is a better option than bindAddr.