diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 166d3f4..c97a2fa 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -14,16 +14,15 @@
     owner: root
     group: "{{ ansible_wheel }}"
 
-# use openbsd kex algorithms but drop ssh-audit errors
+# use mozilla recommended settings (only prefer aes256 over chacha20)
+# https://infosec.mozilla.org/guidelines/openssh.html
 - name: tighten sshd kex algorithms
   lineinfile:
     path: /etc/ssh/sshd_config
-    line: "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,\
-     diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,\
-     diffie-hellman-group14-sha256"
+    line: "KexAlgorithms curve25519-sha256@libssh.org,\
+     diffie-hellman-group-exchange-sha256"
     regexp: "^KexAlgorithms .*"
   notify: restart sshd
-# use openbsd ciphers but in mozilla recommended order (kind of)
 - name: tighten sshd ciphers
   lineinfile:
     path: /etc/ssh/sshd_config
@@ -31,30 +30,32 @@
      aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
     regexp: "^Ciphers .*"
   notify: restart sshd
-# use openbsd macs but drop ssh-audit errors
 - name: tighten sshd macs
   lineinfile:
     path: /etc/ssh/sshd_config
-    line: "MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com"
+    line: "MACs hmac-sha2-512-etm@openssh.com,\
+     hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,\
+     hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
     regexp: "^MACs .*"
   notify: restart sshd
+
 - name: disable ecdsa key from sshd
   lineinfile:
     path: /etc/ssh/sshd_config
     line: "#HostKey /etc/ssh/ssh_host_ecdsa_key"
-    regexp: "HostKey /etc/ssh/ssh_host_ecdsa_key"
+    regexp: "^#?HostKey /etc/ssh/ssh_host_ecdsa_key"
   notify: restart sshd
 - name: enable rsa key from sshd
   lineinfile:
     path: /etc/ssh/sshd_config
     line: "HostKey /etc/ssh/ssh_host_rsa_key"
-    regexp: "#?HostKey /etc/ssh/ssh_host_rsa_key"
+    regexp: "^#?HostKey /etc/ssh/ssh_host_rsa_key"
   notify: restart sshd
 - name: enable ed25519 key from sshd
   lineinfile:
     path: /etc/ssh/sshd_config
     line: "HostKey /etc/ssh/ssh_host_ed25519_key"
-    regexp: "#?HostKey /etc/ssh/ssh_host_ed25519_key"
+    regexp: "^#?HostKey /etc/ssh/ssh_host_ed25519_key"
   notify: restart sshd
 
 - name: install basic roles