Do some actual SSH configuration improvement

nixos/modules/ssh.nix

@@ -16,6 +16,22 @@
     # https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
     services.openssh = {
       enable = true;
+
+      # We don't use SFTP for anything.  No reason to expose it.
+      allowSFTP = false;
+
+      # We only allow key-based authentication.
+      challengeResponseAuthentication = false;
+      passwordAuthentication = false;
+
+      extraConfig = ''
+        # Possibly this is superfluous considering we don't allow
+        # password-based authentication at all.
+        PermitEmptyPasswords no
+
+        # Don't allow authentication as random system users.
+        AllowUsers root
+      '';
     };
 
     users.users.root.openssh.authorizedKeys.keys = [