diff --git a/hosts/common/services/openssh.nix b/hosts/common/services/openssh.nix
index c7b9c31..c5f418f 100644
--- a/hosts/common/services/openssh.nix
+++ b/hosts/common/services/openssh.nix
@@ -1,12 +1,32 @@
-{ ... }:
+{ lib, ... }:
 {
   services.openssh = {
+    enable = lib.mkDefault true;
     startWhenNeeded = true;
     settings = {
       StreamLocalBindUnlink = true;
       PasswordAuthentication = false;
       KbdInteractiveAuthentication = false;
       PermitRootLogin = "no";
+      PermitEmptyPasswords = false;
+      ChallengeResponseAuthentication = false;
+      GSSAPIAuthentication = false;
+      HostbasedAuthentication = false;
+      IgnoreRhosts = true;
+      KerberosAuthentication = false;
+      RhostsRSAAuthentication = false;
+      Protocol = "2";
+      Macs = [
+        "hmac-sha2-512-etm@openssh.com"
+        "hmac-sha2-256-etm@openssh.com"
+        "umac-128-etm@openssh.com"
+        "hmac-sha2-512"
+      ];
     };
   };
+
+  # systemd.services."sshd@".serviceConfig = {
+  #   Nice = -15;
+  #   IOSchedulingClass = "realtime";
+  # };
 }
diff --git a/hosts/tsuki/configuration.nix b/hosts/tsuki/configuration.nix
index 7d0bfea..eec5f0f 100644
--- a/hosts/tsuki/configuration.nix
+++ b/hosts/tsuki/configuration.nix
@@ -57,19 +57,6 @@
     firewall.enable=true;
   };
 
-  services.openssh.enable = true;
-  services.openssh.settings.Macs = [
-    "hmac-sha2-512-etm@openssh.com"
-    "hmac-sha2-256-etm@openssh.com"
-    "umac-128-etm@openssh.com"
-    "hmac-sha2-512"
-  ];
-
-  systemd.services."sshd@".serviceConfig = {
-    Nice = -15;
-    IOSchedulingClass = "realtime";
-  };
-
   users = {
     users = {
       media = {