diff --git a/hosts/alpha/default.nix b/hosts/alpha/default.nix
index ac432db..48761c1 100644
--- a/hosts/alpha/default.nix
+++ b/hosts/alpha/default.nix
@@ -13,6 +13,8 @@
     ../../modules/nixos/upstream-proxy.nix
   ];
 
+  tux.services.openssh.enable = true;
+
   sops.secrets = {
     borg_encryption_key = {
       sopsFile = ./secrets.yaml;
diff --git a/hosts/arcturus/default.nix b/hosts/arcturus/default.nix
index 0b852d0..6748c6e 100644
--- a/hosts/arcturus/default.nix
+++ b/hosts/arcturus/default.nix
@@ -32,6 +32,8 @@
     ../../modules/nixos/containers/cs2.nix
   ];
 
+  tux.services.openssh.enable = true;
+
   sops.secrets = {
     borg_encryption_key = {
       sopsFile = ./secrets.yaml;
diff --git a/hosts/canopus/default.nix b/hosts/canopus/default.nix
index ef79a57..1f5bd30 100755
--- a/hosts/canopus/default.nix
+++ b/hosts/canopus/default.nix
@@ -21,6 +21,8 @@
     ../../modules/nixos/steam.nix
   ];
 
+  tux.services.openssh.enable = true;
+
   nixpkgs.config.cudaSupport = true;
 
   sops.secrets = {
diff --git a/hosts/capella/default.nix b/hosts/capella/default.nix
index c75740b..d582e68 100644
--- a/hosts/capella/default.nix
+++ b/hosts/capella/default.nix
@@ -15,6 +15,8 @@
     ../../modules/nixos/containers/cs2.nix
   ];
 
+  tux.services.openssh.enable = true;
+
   sops.secrets = {
     "cs2_secrets/SRCDS_TOKEN" = {
       sopsFile = ./secrets.yaml;
diff --git a/hosts/common/default.nix b/hosts/common/default.nix
index 51466c2..4333de2 100644
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@@ -3,21 +3,17 @@
   username,
   outputs,
   config,
-  lib,
   inputs,
   email,
   ...
-}: let
-  # Sops needs acess to the keys before the persist dirs are even mounted; so
-  # just persisting the keys won't work, we must point at /persist
-  hasOptinPersistence = config.environment.persistence."/persist".enable;
-in {
+}: {
   imports = [
     inputs.impermanence.nixosModules.impermanence
     inputs.home-manager.nixosModules.home-manager
 
     ../../modules/nixos/fail2ban.nix
     ../../modules/nixos/sops.nix
+    ../../modules/nixos/networking/ssh.nix
   ];
 
   sops.secrets.tux-password = {
@@ -98,22 +94,6 @@ in {
     };
   };
 
-  services = {
-    openssh = {
-      enable = true;
-      settings = {
-        PasswordAuthentication = false;
-      };
-
-      hostKeys = [
-        {
-          path = "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key";
-          type = "ed25519";
-        }
-      ];
-    };
-  };
-
   users = {
     mutableUsers = false;
     defaultUserShell = pkgs.zsh;
diff --git a/hosts/homelab/default.nix b/hosts/homelab/default.nix
index ea01a54..eb95ff6 100755
--- a/hosts/homelab/default.nix
+++ b/hosts/homelab/default.nix
@@ -19,6 +19,8 @@
     ../../modules/nixos/cyber-tux.nix
   ];
 
+  tux.services.openssh.enable = true;
+
   sops.secrets = {
     discord_token = {
       sopsFile = ./secrets.yaml;
diff --git a/hosts/sirius/default.nix b/hosts/sirius/default.nix
index 5cd837c..dbf821e 100644
--- a/hosts/sirius/default.nix
+++ b/hosts/sirius/default.nix
@@ -12,6 +12,8 @@
     ../../modules/nixos/virtualisation/docker.nix
   ];
 
+  tux.services.openssh.enable = true;
+
   boot.binfmt.emulatedSystems = ["aarch64-linux"];
 
   nixpkgs = {
diff --git a/hosts/vega/default.nix b/hosts/vega/default.nix
index 44d6c44..b3029ff 100644
--- a/hosts/vega/default.nix
+++ b/hosts/vega/default.nix
@@ -10,6 +10,8 @@
     ../../modules/nixos/adguard.nix
   ];
 
+  tux.services.openssh.enable = true;
+
   boot.initrd.availableKernelModules = [
     "usbhid"
     "usb_storage"
diff --git a/hosts/vps/default.nix b/hosts/vps/default.nix
index 0211b13..b533d6f 100644
--- a/hosts/vps/default.nix
+++ b/hosts/vps/default.nix
@@ -14,6 +14,8 @@
     ../common
   ];
 
+  tux.services.openssh.enable = true;
+
   nixpkgs = {
     hostPlatform = "x86_64-linux";
   };
diff --git a/modules/nixos/networking/ssh.nix b/modules/nixos/networking/ssh.nix
new file mode 100644
index 0000000..4914000
--- /dev/null
+++ b/modules/nixos/networking/ssh.nix
@@ -0,0 +1,69 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.tux.services.openssh;
+
+  # Sops needs acess to the keys before the persist dirs are even mounted; so
+  # just persisting the keys won't work, we must point at /persist
+  hasOptinPersistence = config.environment.persistence."/persist".enable;
+in {
+  options.tux.services.openssh = {
+    enable = mkEnableOption "Enable OpenSSH server";
+
+    ports = mkOption {
+      type = types.listOf types.port;
+      default = [22];
+      description = ''
+        Specifies on which ports the SSH daemon listens.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.openssh = {
+      enable = true;
+      startWhenNeeded = true;
+      allowSFTP = true;
+      ports = cfg.ports;
+
+      settings = {
+        PermitRootLogin = "no";
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        AuthenticationMethods = "publickey";
+        PubkeyAuthentication = "yes";
+        ChallengeResponseAuthentication = "no";
+        UsePAM = false;
+        UseDns = false;
+        X11Forwarding = false;
+        KexAlgorithms = [
+          "curve25519-sha256"
+          "curve25519-sha256@libssh.org"
+          "diffie-hellman-group16-sha512"
+          "diffie-hellman-group18-sha512"
+          "sntrup761x25519-sha512@openssh.com"
+          "diffie-hellman-group-exchange-sha256"
+          "mlkem768x25519-sha256"
+          "sntrup761x25519-sha512"
+        ];
+        Macs = [
+          "hmac-sha2-512-etm@openssh.com"
+          "hmac-sha2-256-etm@openssh.com"
+          "umac-128-etm@openssh.com"
+        ];
+        ClientAliveCountMax = 5;
+        ClientAliveInterval = 60;
+      };
+
+      hostKeys = [
+        {
+          path = "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+      ];
+    };
+  };
+}