diff --git a/common/nixos/ssh.nix b/common/nixos/ssh.nix
new file mode 100644
index 0000000..af71952
--- /dev/null
+++ b/common/nixos/ssh.nix
@@ -0,0 +1,93 @@
+{user, ...}: {
+  # https://www.ssh-audit.com/hardening_guides.html
+  # https://github.com/jtesta/ssh-audit
+  services.openssh = {
+    enable = true;
+    settings = {
+      ########## Features ##########
+
+      # disallow ssh-agent forwarding to prevent lateral movement
+      AllowAgentForwarding = false;
+
+      # prevent TCP ports from being forwarded over SSH tunnels
+      # **please be aware that disabling TCP forwarding does not prevent port forwarding**
+      # any user with an interactive login shell can spin up his/her own instance of sshd
+      AllowTcpForwarding = false;
+
+      # prevent StreamLocal (Unix-domain socket) forwarding
+      AllowStreamLocalForwarding = false;
+
+      # disables all forwarding features
+      # overrides all other forwarding switches
+      DisableForwarding = true;
+
+      # disallow remote hosts from connecting to forwarded ports
+      # i.e. forwarded ports are forced to bind to 127.0.0.1 instad of 0.0.0.0
+      GatewayPorts = "no";
+
+      # prevent tun device forwarding
+      PermitTunnel = false;
+
+      # suppress MOTD
+      PrintMotd = false;
+
+      # disable X11 forwarding since it is not necessary
+      X11Forwarding = false;
+
+      ########## Authentication ##########
+
+      AllowUsers = ["${user}"];
+
+      # Use keys only. Remove if you want to SSH using password (not recommended)
+      PasswordAuthentication = false;
+      HostbasedAuthentication = false;
+
+      # enable pubkey authentication
+      PubkeyAuthentication = true;
+
+      # Forbid root login through SSH.
+      PermitRootLogin = "no";
+
+      # nix enables pam by default
+      #UsePam = true;
+
+      ########## Cryptography ##########
+
+      # explicitly define cryptography algorithms to avoid the use of weak algorithms
+      # AES CTR modes have been removed to mitigate the Terrapin attack
+      #   https://terrapin-attack.com/
+
+      Ciphers = ["aes256-gcm@openssh.com" "aes128-gcm@openssh.com"];
+      Macs = ["hmac-sha2-256-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com"];
+      KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group16-sha512" "diffie-hellman-group18-sha512"];
+
+      ########## Connection Preferences ##########
+
+      # enforce SSH server to only use SSH protocol version 2
+      # SSHv1 contains security issues and should be avoided at all costs
+      # SSHv1 is disabled by default after OpenSSH 7.0, but this option is
+      #   specified anyways to ensure this configuration file's compatibility
+      #   with older versions of OpenSSH server
+      Protocol = 2;
+
+      # number of client alive messages sent without client responding
+      ClientAliveCountMax = 2;
+
+      # send a keepalive message to the client when the session has been idle for 300 seconds
+      # this prevents/detects connection timeouts
+      ClientAliveInterval = 300;
+
+      # compression before encryption might cause security issues
+      Compression = false;
+
+      # prevent SSH trust relationships from allowing lateral movements
+      IgnoreRhosts = true;
+
+      # log verbosely for addtional information
+      LogLevel = "VERBOSE";
+
+      # allow a maximum of two multiplexed sessions over a single TCP connection
+      MaxSessions = 2;
+    };
+  };
+}
diff --git a/hosts/candlekeep/configuration.nix b/hosts/candlekeep/configuration.nix
index 359f9e2..f8ca7ca 100644
--- a/hosts/candlekeep/configuration.nix
+++ b/hosts/candlekeep/configuration.nix
@@ -18,6 +18,7 @@
     #../../common/networking/zerotier.nix
     ../../common/nixos/bluetooth.nix
     ../../common/nixos/restic.nix
+    ../../common/nixos/ssh.nix
     ../../common/gui/hyprland.nix
     ../../common/gui/thunar.nix
     ../../common/style/stylix.nix
@@ -110,98 +111,6 @@
     };
   };
 
-  # This setups a SSH server. Very important if you're setting up a headless system.
-  # Feel free to remove if you don't need it.
-  services.openssh = {
-    enable = true;
-    settings = {
-      ########## Features ##########
-
-      # disallow ssh-agent forwarding to prevent lateral movement
-      AllowAgentForwarding = false;
-
-      # prevent TCP ports from being forwarded over SSH tunnels
-      # **please be aware that disabling TCP forwarding does not prevent port forwarding**
-      # any user with an interactive login shell can spin up his/her own instance of sshd
-      AllowTcpForwarding = false;
-
-      # prevent StreamLocal (Unix-domain socket) forwarding
-      AllowStreamLocalForwarding = false;
-
-      # disables all forwarding features
-      # overrides all other forwarding switches
-      DisableForwarding = true;
-
-      # disallow remote hosts from connecting to forwarded ports
-      # i.e. forwarded ports are forced to bind to 127.0.0.1 instad of 0.0.0.0
-      GatewayPorts = "no";
-
-      # prevent tun device forwarding
-      PermitTunnel = false;
-
-      # suppress MOTD
-      PrintMotd = false;
-
-      # disable X11 forwarding since it is not necessary
-      X11Forwarding = false;
-
-      ########## Authentication ##########
-
-      AllowUsers = ["${user}"];
-
-      # Use keys only. Remove if you want to SSH using password (not recommended)
-      PasswordAuthentication = false;
-      HostbasedAuthentication = false;
-
-      # enable pubkey authentication
-      PubkeyAuthentication = true;
-
-      # Forbid root login through SSH.
-      PermitRootLogin = "no";
-
-      # nix enables pam by default
-      #UsePam = true;
-
-      ########## Cryptography ##########
-
-      # explicitly define cryptography algorithms to avoid the use of weak algorithms
-      # AES CTR modes have been removed to mitigate the Terrapin attack
-      #   https://terrapin-attack.com/
-
-      Ciphers = ["aes256-gcm@openssh.com" "aes128-gcm@openssh.com"];
-      Macs = ["hmac-sha2-256-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com"];
-      KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group16-sha512" "diffie-hellman-group18-sha512"];
-
-      ########## Connection Preferences ##########
-
-      # enforce SSH server to only use SSH protocol version 2
-      # SSHv1 contains security issues and should be avoided at all costs
-      # SSHv1 is disabled by default after OpenSSH 7.0, but this option is
-      #   specified anyways to ensure this configuration file's compatibility
-      #   with older versions of OpenSSH server
-      Protocol = 2;
-
-      # number of client alive messages sent without client responding
-      ClientAliveCountMax = 2;
-
-      # send a keepalive message to the client when the session has been idle for 300 seconds
-      # this prevents/detects connection timeouts
-      ClientAliveInterval = 300;
-
-      # compression before encryption might cause security issues
-      Compression = false;
-
-      # prevent SSH trust relationships from allowing lateral movements
-      IgnoreRhosts = true;
-
-      # log verbosely for addtional information
-      LogLevel = "VERBOSE";
-
-      # allow a maximum of two multiplexed sessions over a single TCP connection
-      MaxSessions = 2;
-    };
-  };
-
   environment = {
     loginShellInit = ''
       if [ -z $DISPLAY ] && [ "$(tty)" = "/dev/tty1" ]; then