feat: harden openssh server

configs/common.nix

@@ -113,11 +113,6 @@ in {
   };
 
   services = {
-    openssh = {
-      enable = true;
-      openFirewall = lib.mkDefault false;
-    };
-
     vscode-server.enable = true;
 
     resolved = {

configs/server.nix

@@ -1,3 +1,15 @@
 {
-  services.tailscale.extraUpFlags = ["--advertise-exit-node"];
+  services = {
+    tailscale.extraUpFlags = ["--advertise-exit-node"];
+
+    openssh = {
+      enable = true;
+      settings = {
+        PermitRootLogin = "no";
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        X11Forwarding = false;
+      };
+    };
+  };
 }