From 5c297df6b9063cd56aa9e2fec3424f904989d675 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 30 Sep 2023 15:22:16 -0500
Subject: [PATCH] r/gitea: use sshd_config.d

Recent(-ish) versions of Fedora have a drop-in configuration directory
for `sshd`.  This allows applications, etc. to define certain settings
for the SSH server, without having to manage the entire server
configuration.  For Gitea specifically, we only need to set a few
settings for the *gitea* user, leaving the remaining settings alone.

This commit does not include any migration to undo the settings that
were originally set,  but that should be as simple as `mv
/etc/ssh/sshd_config.rpmnew /etc/ssh/sshd_config && systemctl reload
sshd`.
---
 gitea.yml                           |  1 -
 roles/gitea/files/gitea.sshd_config |  3 +++
 roles/gitea/handlers/main.yml       |  4 ++++
 roles/gitea/tasks/main.yml          | 12 ++++++++++++
 4 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 roles/gitea/files/gitea.sshd_config

diff --git a/gitea.yml b/gitea.yml
index c8e723e..0794bee 100644
--- a/gitea.yml
+++ b/gitea.yml
@@ -3,7 +3,6 @@
   - apache
   - role: gitea
     tags: gitea
-  - sshd
   tasks:
   - name: ensure apache is running
     service:
diff --git a/roles/gitea/files/gitea.sshd_config b/roles/gitea/files/gitea.sshd_config
new file mode 100644
index 0000000..db668dc
--- /dev/null
+++ b/roles/gitea/files/gitea.sshd_config
@@ -0,0 +1,3 @@
+Match User gitea
+	PasswordAuthentication no
+	PermitTTY no
diff --git a/roles/gitea/handlers/main.yml b/roles/gitea/handlers/main.yml
index 4cc01c6..945d380 100644
--- a/roles/gitea/handlers/main.yml
+++ b/roles/gitea/handlers/main.yml
@@ -9,3 +9,7 @@
   service:
     name=gitea
     state=restarted
+- name: reload sshd
+  service:
+    name: sshd
+    state: reloaded
diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml
index da57f14..37b9b44 100644
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@@ -84,3 +84,15 @@
     name=httpd_can_network_connect
     persistent=yes
     state=yes
+
+- name: ensure sshd is configured for gitea
+  copy:
+    src: gitea.sshd_config
+    dest: /etc/ssh/sshd_config.d/80-gitea.conf
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  notify:
+  - reload sshd
+  tags:
+  - sshd-config