From 6396b9fc49c00474c72005339ae6bd4597df5a0f Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 6 Jun 2018 21:45:36 -0500
Subject: [PATCH] gitea: Restrict SSH configuration

Since Gitea servers may be exposed directly to the Internet, it is
important to prevent SSH tunneling, lest the server become an ingress
point into the network.

Additionally, the *gitea* user should not be allowed to use password
authentication, as this would only work if the user actually has a
password (which it does not) and would result in shell access instead of
Gitea.
---
 gitea.yml            | 1 +
 group_vars/gitea.yml | 8 ++++++++
 2 files changed, 9 insertions(+)
 create mode 100644 group_vars/gitea.yml

diff --git a/gitea.yml b/gitea.yml
index 02c354c..457e305 100644
--- a/gitea.yml
+++ b/gitea.yml
@@ -2,6 +2,7 @@
   roles:
   - apache
   - gitea
+  - sshd
   tasks:
   - name: ensure apache is running
     service:
diff --git a/group_vars/gitea.yml b/group_vars/gitea.yml
new file mode 100644
index 0000000..54de1a5
--- /dev/null
+++ b/group_vars/gitea.yml
@@ -0,0 +1,8 @@
+sshd_agent_forwarding: false
+sshd_tcp_forwarding: false
+sshd_x11_forwarding: false
+sshd_config_matches:
+- object: User
+  pattern: gitea
+  password_auth: false
+  permit_tty: false