diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix
index 0311fe3..8854a0d 100644
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -25,7 +25,19 @@
 
   networking.hostName = "${hostName}";
 
-  services.openssh.enable = true;
+  # hardened openssh
+  services.openssh = {
+    passwordAuthentication = false;
+    allowSFTP = false; 
+    challengeResponseAuthentication = false;
+    extraConfig = ''
+      AllowTcpForwarding yes
+      X11Forwarding no
+      AllowAgentForwarding no
+      AllowStreamLocalForwarding no
+      AuthenticationMethods publickey
+    '';
+  };
 
   system.stateVersion = "24.11";
 
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 804f01d..e980470 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -13,8 +13,7 @@
     "localisation"
     "network"
     "nh"
-    "nix-settings"
-    "nixpkgs"
+    "nix"
     "nixvim"
     "syncthing"
     "systemd-boot"
diff --git a/modules/nixos/features/network.nix b/modules/nixos/features/network.nix
index 5ea2774..ce2b3a9 100644
--- a/modules/nixos/features/network.nix
+++ b/modules/nixos/features/network.nix
@@ -6,5 +6,6 @@
   networking = {
     hostName = "${hostName}";
     networkmanager.enable = true;
+    firewall.enable = true;
   };
 }
diff --git a/modules/nixos/features/nix-settings.nix b/modules/nixos/features/nix.nix
similarity index 65%
rename from modules/nixos/features/nix-settings.nix
rename to modules/nixos/features/nix.nix
index eda2992..7ee4d10 100644
--- a/modules/nixos/features/nix-settings.nix
+++ b/modules/nixos/features/nix.nix
@@ -1,5 +1,16 @@
 {
+  lib,
+  ...
+}:
+{
+  # rip out default packages
+  environment.defaultPackages = lib.mkForce [ ];
+
+  # allow packages with non-free licenses
+  nixpkgs.config.allowUnfree = true;
+
   nix = {
+    allowedUsers = [ "@wheel" ];
     gc = {
       automatic = true;
       dates = "weekly";
diff --git a/modules/nixos/features/nixpkgs.nix b/modules/nixos/features/nixpkgs.nix
deleted file mode 100644
index e95ec3c..0000000
--- a/modules/nixos/features/nixpkgs.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-{
-  nixpkgs.config.allowUnfree = true;
-}
diff --git a/modules/nixos/features/sudo.nix b/modules/nixos/features/sudo.nix
new file mode 100644
index 0000000..78f1db5
--- /dev/null
+++ b/modules/nixos/features/sudo.nix
@@ -0,0 +1,6 @@
+{
+  ...
+}:
+{
+  security.sudo.execWheelOnly = true;
+}