Harden OpenSSH service

modules/sshd.nix

@@ -1,6 +1,20 @@
 {
   services.openssh = {
     enable = true;
-    settings.PasswordAuthentication = false;
+    settings = {
+      KbdInteractiveAuthentication = false;
+      # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
+      KexAlgorithms = [
+        "curve25519-sha256"
+        "curve25519-sha256@libssh.org"
+        "diffie-hellman-group16-sha512"
+        "diffie-hellman-group18-sha512"
+        "sntrup761x25519-sha512@openssh.com"
+      ];
+      PasswordAuthentication = false;
+      StreamLocalBindUnlink = true; # unbind gnupg sockets if they exists
+      UseDns = false;
+      X11Forwarding = false;
+    };
   };
 }