Security updates

modules/services.nix

@@ -1,12 +1,36 @@
 { config, pkgs, ... }:
 
 {
-  # Enable the OpenSSH daemon
+  # Hardened OpenSSH
   services.openssh = {
     enable = true;
+    ports = [ 22 ];
     settings = {
+      # Authentication
       PermitRootLogin = "no";
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitEmptyPasswords = false;
+      
+      # Security hardening
+      X11Forwarding = false;
+      AllowTcpForwarding = false;
+      AllowAgentForwarding = false;
+      AllowStreamLocalForwarding = false;
+      
+      # Session settings
+      ClientAliveInterval = 300;
+      ClientAliveCountMax = 2;
+      MaxAuthTries = 3;
+      MaxSessions = 2;
+      LoginGraceTime = 30;
     };
+    # Use only strong key exchange algos
+    extraConfig = ''
+      KexAlgorithms curve25519-sha256@libssh.org,curve25519-sha256
+      Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
+      MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+    '';
   };
 
   # Tailscale