diff --git a/group_vars/pyrocufflink/main.yml b/group_vars/pyrocufflink/main.yml
index 5587f6a..3a36093 100644
--- a/group_vars/pyrocufflink/main.yml
+++ b/group_vars/pyrocufflink/main.yml
@@ -22,3 +22,5 @@ sudo_authorized_ssh_keys: |
 # Default flags include -n, which makes Ansible complain about a "missing
 # become password," even though it would never actually prompt for one.
 ansible_become_flags: -H
+
+fileserver_sftp_only_match: 'Group !server?admins,*'
diff --git a/roles/fileserver/defaults/main.yml b/roles/fileserver/defaults/main.yml
index 59f645b..261821d 100644
--- a/roles/fileserver/defaults/main.yml
+++ b/roles/fileserver/defaults/main.yml
@@ -1,2 +1,4 @@
 file_shares: []
 samba_use_smbd: true
+
+fileserver_sftp_only_match: 'User !root,*'
diff --git a/roles/fileserver/handlers/main.yml b/roles/fileserver/handlers/main.yml
index adf5c93..d1e84f0 100644
--- a/roles/fileserver/handlers/main.yml
+++ b/roles/fileserver/handlers/main.yml
@@ -1,2 +1,7 @@
 - name: save firewalld configuration
   command: firewall-cmd --runtime-to-permanent
+
+- name: reload sshd
+  service:
+    name: sshd
+    state: reloaded
diff --git a/roles/fileserver/tasks/main.yml b/roles/fileserver/tasks/main.yml
index 05a16b4..53120eb 100644
--- a/roles/fileserver/tasks/main.yml
+++ b/roles/fileserver/tasks/main.yml
@@ -44,3 +44,16 @@
     name=samba_enable_home_dirs
     persistent=yes
     state=yes
+
+- name: ensure ssh server is configured for sftp only
+  template:
+    src: sftp-only.sshd_config.j2
+    dest: /etc/ssh/sshd_config.d/95-sftp-only.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload sshd
+  tags:
+  - sshd-config
+  - config
diff --git a/roles/fileserver/templates/sftp-only.sshd_config.j2 b/roles/fileserver/templates/sftp-only.sshd_config.j2
new file mode 100644
index 0000000..ad92c7d
--- /dev/null
+++ b/roles/fileserver/templates/sftp-only.sshd_config.j2
@@ -0,0 +1,11 @@
+Match {{ fileserver_sftp_only_match }}
+    AllowAgentForwarding no
+    AllowStreamLocalForwarding no
+    AllowTcpForwarding no
+    DisableForwarding yes
+    ForceCommand internal-sftp
+    PermitListen none
+    PermitOpen none
+    PermitTTY no
+    PermitTunnel no
+    PermitUserRC no