diff --git a/hosts/vm/configuration.nix b/hosts/vm/configuration.nix
index 230c912..0953f1a 100644
--- a/hosts/vm/configuration.nix
+++ b/hosts/vm/configuration.nix
@@ -14,6 +14,7 @@
     ../../modules/localization.nix
     ../../modules/x.nix
     ../../modules/fonts
+    ../../modules/ssh/hardened-openssh.nix
   ];
 
   nix.settings.experimental-features = [
@@ -52,26 +53,6 @@
 
   services.openssh = {
     enable = true;
-    startWhenNeeded = true;
-    settings = {
-      ## hardening
-      PermitRootLogin = "no";
-      MaxAuthTries = 3;
-      LoginGraceTime = "1m";
-      PasswordAuthentication = false;
-      PermitEmptyPasswords = false;
-      ChallengeResponseAuthentication = false;
-      KerberosAuthentication = false;
-      GSSAPIAuthentication = false;
-      X11Forwarding = false;
-      PermitUserEnvironment = false;
-      AllowAgentForwarding = false;
-      AllowTcpForwarding = false;
-      PermitTunnel = false;
-      ## sshd_config defaults on Arch Linux
-      KbdInteractiveAuthentication = false;
-      UsePAM = true;
-      PrintMotd = false;
-    };
+    harden = true;
   };
 }
diff --git a/modules/ssh/hardened-openssh.nix b/modules/ssh/hardened-openssh.nix
new file mode 100644
index 0000000..3d750a9
--- /dev/null
+++ b/modules/ssh/hardened-openssh.nix
@@ -0,0 +1,19 @@
+{ lib, config, ... }:
+with lib;
+let
+  cfg = config.services.openssh;
+in
+{
+  options.services.openssh.harden = mkEnableOption "harden ssh server configuration";
+  config.services.openssh.settings = optionalAttrs cfg.harden {
+    PermitRootLogin = "no";
+    PasswordAuthentication = false;
+    ChallengeResponseAuthentication = false;
+    X11Forwarding = false;
+    AllowAgentForwarding = false;
+    AllowTcpForwarding = false;
+    PermitTunnel = false;
+    MaxAuthTries = 3;
+    LoginGraceTime = "1m";
+  };
+}