gitea: Restrict SSH configuration

Since Gitea servers may be exposed directly to the Internet, it is important to prevent SSH tunneling, lest the server become an ingress point into the network. Additionally, the *gitea* user should not be allowed to use password authentication, as this would only work if the user actually has a password (which it does not) and would result in shell access instead of Gitea.
2018-06-06 21:45:36 -05:00 · 2018-06-06 21:45:36 -05:00 · 6396b9fc49
parent 2be0e3d0a5
commit 6396b9fc49
2 changed files with 9 additions and 0 deletions
--- a/gitea.yml
+++ b/gitea.yml
@ -2,6 +2,7 @@
  roles:
  - apache
  - gitea
+  - sshd
  tasks:
  - name: ensure apache is running
    service:
--- a/group_vars/gitea.yml
+++ b/group_vars/gitea.yml
@ -0,0 +1,8 @@
+sshd_agent_forwarding: false
+sshd_tcp_forwarding: false
+sshd_x11_forwarding: false
+sshd_config_matches:
+- object: User
+  pattern: gitea
+  password_auth: false
+  permit_tty: false