# SSH configuration for the "code" user
# This user can only access git repositories and cannot read other system files

# Explicitly deny root login
PermitRootLogin no

# Deny user environment manipulation globally
PermitUserEnvironment no

# Only allow the "code" user to login via SSH
AllowUsers code

Match User code
    # Only allow public key authentication
    PubkeyAuthentication yes
    PasswordAuthentication no
    PermitEmptyPasswords no

    # Use authorized_keys from a volume mount (outside the repositories directory)
    AuthorizedKeysFile /etc/ssh/authorized_keys_code

    # Restrict to necessary commands only - harden SSH
    X11Forwarding no
    AllowTcpForwarding no
    AllowAgentForwarding no
    PermitTunnel no
    GatewayPorts no
    PermitTTY yes