ensure /run/sshd exists and manage ssh.socket on noble

/run/sshd is on tmpfs and can disappear after cleanup, causing sshd
to fail with "Missing privilege separation directory". Create it
explicitly in the state rather than relying only on tmpfiles.

On Noble, SSH uses socket activation (ssh.socket). Ensure the socket
is enabled and running before the service, preventing the dependency
failure loop.

Author: JacobCoffee

salt/ssh/init.sls

@@ -1,10 +1,31 @@
 {% set host_keys = salt["pillar.get"]("ssh_host_keys") %}
 
+# Ensure /run/sshd exists (tmpfs, can disappear between boots/cleanups)
+/run/sshd:
+  file.directory:
+    - user: root
+    - group: root
+    - dir_mode: "0755"
+
+{% if grains["oscodename"] in ["noble"] %}
+# Noble uses socket-activated SSH
+ssh.socket:
+  service.running:
+    - enable: True
+    - require:
+      - file: /run/sshd
+      - file: /etc/ssh/sshd_config
+{% endif %}
 
 ssh:
   service.running:
     - enable: True
     - restart: True
+    - require:
+      - file: /run/sshd
+{% if grains["oscodename"] in ["noble"] %}
+      - service: ssh.socket
+{% endif %}
     - watch:
       - file: /etc/ssh/sshd_config
       {% for fn in host_keys %}