diff --git a/modules/ssh-server.nix b/modules/ssh-server.nix
index fcdbab4..c53ecd0 100644
--- a/modules/ssh-server.nix
+++ b/modules/ssh-server.nix
@@ -14,10 +14,23 @@
         then [2226]
       else throw "Please add ssh port here"
     );
-    # Use authorized keys only.
-    settings.PasswordAuthentication = false;
+
     # Enabling this is required for commands such as sftp and sshfs.
     allowSFTP = false;
+
+    settings = {
+      # Use authorized keys only.
+      PasswordAuthentication = false;
+
+      #
+      # https://infosec.mozilla.org/guidelines/openssh
+      #
+      Macs = ["hmac-sha2-512-etm@openssh.com"];
+      Ciphers = ["chacha20-poly1305@openssh.com"];
+      # TODO Use 25519 instead of RSA key pairs
+      #KexAlgorithms = ["curve25519-sha256@libssh.org"];
+    };
+
   };
 
   # TODO replace authorizedKeys in all .nix files with authorizedKeyFiles