diff --git a/modules/s6/scripts/rc.init b/modules/s6/scripts/rc.init
index 7a238815d..162d1d9c6 100755
--- a/modules/s6/scripts/rc.init
+++ b/modules/s6/scripts/rc.init
@@ -17,6 +17,9 @@ shift
 
 mount -t proc none /proc
 mount -t sysfs none /sys
+# s6-linux-init mounts /dev before this script is called
+mkdir /dev/pts
+mount -t devpts none /dev/pts
 
 mkdir -m 0750 /run/service-state
 chgrp system /run/service-state
diff --git a/overlay.nix b/overlay.nix
index a0662c80b..4f40b0f9b 100644
--- a/overlay.nix
+++ b/overlay.nix
@@ -15,6 +15,15 @@ extraPkgs // {
       nettle = null;
     };
 
+  dropbear = prev.dropbear.overrideAttrs (o: {
+    postPatch = ''
+     (echo '#define DSS_PRIV_FILENAME "/run/dropbear/dropbear_dss_host_key"'
+      echo '#define RSA_PRIV_FILENAME "/run/dropbear/dropbear_rsa_host_key"'
+      echo '#define ECDSA_PRIV_FILENAME "/run/dropbear/dropbear_ecdsa_host_key"'
+      echo '#define ED25519_PRIV_FILENAME "/run/dropbear/dropbear_ed25519_host_key"') > localoptions.h
+    '';
+  });
+
   pppBuild = prev.ppp;
   ppp =
     (prev.ppp.override {
diff --git a/rotuer.nix b/rotuer.nix
index 9be278bc5..25c3972c5 100644
--- a/rotuer.nix
+++ b/rotuer.nix
@@ -18,6 +18,7 @@ let
     route;
   inherit (pkgs.liminix.services) oneshot longrun bundle target;
   inherit (pkgs)
+    dropbear
     ifwait
     serviceFns;
 in rec {
@@ -146,11 +147,21 @@ in rec {
       ];
     };
 
+  services.sshd = longrun {
+    name = "sshd";
+    run = ''
+      mkdir -p /run/dropbear
+      ${dropbear}/bin/dropbear -E -P /run/dropbear.pid -R -F
+    '';
+  };
+
   users.dnsmasq = {
     uid = 51; gid= 51; gecos = "DNS/DHCP service user";
     dir = "/run/dnsmasq";
     shell = "/bin/false";
   };
+  users.root.passwd = lib.mkForce secrets.root_password;
+
   groups.dnsmasq = {
     gid = 51; usernames = ["dnsmasq"];
   };
@@ -220,6 +231,7 @@ in rec {
       packet_forwarding
       dns
       resolvconf
+      sshd
     ];
   };
   defaultProfile.packages = with pkgs;  [ nftables strace tcpdump ] ;