feat: get to a solid bootstrap on public ssh

modules/deploy-ssh.nix

@@ -0,0 +1,29 @@
+{ ... }:
+{
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 22 ];
+  };
+
+  services.openssh = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      AllowAgentForwarding = false;
+      AllowGroups = [ "wheel" ];
+      AllowTcpForwarding = false;
+      ClientAliveCountMax = 2;
+      ClientAliveInterval = 300;
+      KbdInteractiveAuthentication = false;
+      LoginGraceTime = 20;
+      MaxAuthTries = 3;
+      MaxSessions = 4;
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+      PermitTunnel = false;
+      PermitUserEnvironment = false;
+      StreamLocalBindUnlink = false;
+      X11Forwarding = false;
+    };
+  };
+}