diff --git a/hosts/nixos-server-reid/default.nix b/hosts/nixos-server-reid/default.nix
index 30cc25a..07c804d 100755
--- a/hosts/nixos-server-reid/default.nix
+++ b/hosts/nixos-server-reid/default.nix
@@ -34,16 +34,12 @@ in {
 
   modules = {
     services = {
-      ssh = {
-        enable = true;
-        requirePassword = false;
-      };
+      ssh.enable = true;
+      ssh.enableMoshSupport = true;
 
       postgres.enable = true;
 
       redis.enable = true;
-
-      mosh.enable = true;
     };
 
     security.useDoas = true;
diff --git a/modules/services/mosh.nix b/modules/services/mosh.nix
deleted file mode 100755
index 2860c6f..0000000
--- a/modules/services/mosh.nix
+++ /dev/null
@@ -1,16 +0,0 @@
-{ config, lib, pkgs, options, ... }:
-
-with lib;
-let
-  cfg = config.modules.services.mosh;
-in {
-  options.modules.services.mosh = {
-    enable = mkEnableOption "enable mosh, the mobile SSH shell";
-  };
-
-  config = mkIf cfg.enable {
-    programs.mosh = {
-      enable = true;
-    };
-  };
-}
diff --git a/modules/services/ssh.nix b/modules/services/ssh.nix
index 59fc01c..ec35067 100755
--- a/modules/services/ssh.nix
+++ b/modules/services/ssh.nix
@@ -5,27 +5,31 @@ let
   cfg = config.modules.services.ssh;
 in {
   options.modules.services.ssh = {
-    enable = mkEnableOption "enable openssh, a server for remote shell access";
-
-    requirePassword = mkOption {
-      type = types.bool;
-      default = true;
-    };
+    enable = mkEnableOption "enable ssh. you know what ssh is";
+    enableMoshSupport = mkEnableOption "enable mosh, a roaming, UDP-based ssh implementation";
   };
 
-  config = mkIf cfg.enable {
-    services.openssh = {
-      enable = true;
-
-      settings = {
-        PasswordAuthentication = cfg.requirePassword;
-        PermitRootLogin = "no";
+  config = mkIf cfg.enable (mkMerge [
+    {
+      services.openssh = {
+        enable = true;
+        ports = [ 22 ];
+        settings = {
+          PasswordAuthentication = false;
+          AllowUsers = null; # Allows all users by default, can be [ "user1" "user2" ]
+          UseDns = true;
+          PermitRootLogin = "no"; # "yes", "without-password", "prohibit-password", "forced-commands-only", "no"
+        };
       };
-    };
 
-    programs.gnupg.agent = {
-      enable = true;
-      enableSSHSupport = true;
-    };
-  };
+      networking.firewall.allowedTCPPorts = [ 22 ];
+      networking.firewall.allowedUDPPorts = [ 22 ];
+    }
+    (mkIf cfg.enableMoshSupport {
+      programs.mosh.enable = true;
+
+      networking.firewall.allowedTCPPortRanges = [ { from = 60000; to = 61000; } ];
+      networking.firewall.allowedUDPPortRanges = [ { from = 60000; to = 61000; } ];
+    })
+  ]);
 }