diff --git a/machine/backyard/default.nix b/machine/backyard/default.nix
index 1326d9a..a2aaa8f 100644
--- a/machine/backyard/default.nix
+++ b/machine/backyard/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 
 {
   imports = [
@@ -19,9 +19,36 @@
   users.users.tvb.extraGroups = [ "networkmanager" ];
 
   networking.firewall = {
-    enable = true;
+    enable = false;
   };
 
+  #
+  users.users.guest = {
+    group = "guest";
+    description = "gueSSHtbook sshd user";
+  };
+  users.groups.guest = {};
+  systemd.services.guesshd = let
+    nssModulesPath = config.system.nssModules.path;
+  in {
+    enable = false;
+    description = "gueSSHtbook SSH daemon";
+    wantedBy = "multi-user.target";
+    after = [ "network.target" ];
+    stopIfChanged = false;
+    path = [ config.programs.ssh.package pkgs.gawk ];
+    environment.LD_LIBRARY_PATH = nssModulesPath;
+    #restartTriggers = [ config path goes here ];
+    # need keys to exist, see prestart in sshd.nix
+    serviceConfig = {
+      ExecStart = "${config.programs.ssh.package}/bin/sshd -D -f /path/to/config";
+      KillMode = "process";
+      Restart = "always";
+      Type = "simple";
+  };
+  networking.firewall.allowedTCPPorts = [ 2345 ];
+  #
+
   # This value governs how some stateful data, like databases, are handled
   # across different versions of NixOS. This should not be changed to a new
   # release unless the sysadmin has determined that no services would be