sec: harden ssh config

hosts/common/optional/services/openssh.nix

@@ -4,6 +4,14 @@ in {
   services.openssh = {
     enable = true;
     ports = [ sshPort ];
+
+    settings = {
+      PermitRootLogin = "no";
+      KbdInteractiveAuthentication = false;
+      PasswordAuthentication = false;
+    };
+
+    openFirewall = true;
   };
 
   networking.firewall.allowedTCPPorts = [ sshPort ];