From 8667f8615da479a8e9c4e8d5bb5987632d75bfaf Mon Sep 17 00:00:00 2001
From: Elizabeth Hunt <me@liz.coffee>
Date: Fri, 5 Dec 2025 21:43:18 -0800
Subject: Add ssh server

---
 sshd_code_user.conf | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 sshd_code_user.conf

(limited to 'sshd_code_user.conf')

diff --git a/sshd_code_user.conf b/sshd_code_user.conf
new file mode 100644
index 0000000..19ef103
--- /dev/null
+++ b/sshd_code_user.conf
@@ -0,0 +1,28 @@
+# SSH configuration for the "code" user
+# This user can only access git repositories and cannot read other system files
+
+# Explicitly deny root login
+PermitRootLogin no
+
+# Deny user environment manipulation globally
+PermitUserEnvironment no
+
+# Only allow the "code" user to login via SSH
+AllowUsers code
+
+Match User code
+    # Only allow public key authentication
+    PubkeyAuthentication yes
+    PasswordAuthentication no
+    PermitEmptyPasswords no
+
+    # Use authorized_keys from a volume mount (outside the repositories directory)
+    AuthorizedKeysFile /etc/ssh/authorized_keys_code
+
+    # Restrict to necessary commands only - harden SSH
+    X11Forwarding no
+    AllowTcpForwarding no
+    AllowAgentForwarding no
+    PermitTunnel no
+    GatewayPorts no
+    PermitTTY yes
-- 
cgit v1.2.3-70-g09d2