diff --git a/modules/system/ssh/default.nix b/modules/system/ssh/default.nix
index 05c7d97..9aa4a07 100644
--- a/modules/system/ssh/default.nix
+++ b/modules/system/ssh/default.nix
@@ -12,9 +12,11 @@ in
   config = mkIf cfg.enable {
     services.openssh = {
       enable = true;
+      ports = [ 22 ];
+      openFirewall = true;
       settings = {
         X11forwarding = true;
-        PermitRootLogin = "yes";
+        PermitRootLogin = "no";
         passwordAuthentication = false;
         kbdInteractiveAuthentication = false;
       };