diff --git a/gitea.yml b/gitea.yml
index c8e723e..0794bee 100644
--- a/gitea.yml
+++ b/gitea.yml
@@ -3,7 +3,6 @@
   - apache
   - role: gitea
     tags: gitea
-  - sshd
   tasks:
   - name: ensure apache is running
     service:
diff --git a/roles/gitea/files/gitea.sshd_config b/roles/gitea/files/gitea.sshd_config
new file mode 100644
index 0000000..db668dc
--- /dev/null
+++ b/roles/gitea/files/gitea.sshd_config
@@ -0,0 +1,3 @@
+Match User gitea
+	PasswordAuthentication no
+	PermitTTY no
diff --git a/roles/gitea/handlers/main.yml b/roles/gitea/handlers/main.yml
index 4cc01c6..945d380 100644
--- a/roles/gitea/handlers/main.yml
+++ b/roles/gitea/handlers/main.yml
@@ -9,3 +9,7 @@
   service:
     name=gitea
     state=restarted
+- name: reload sshd
+  service:
+    name: sshd
+    state: reloaded
diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml
index da57f14..37b9b44 100644
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@@ -84,3 +84,15 @@
     name=httpd_can_network_connect
     persistent=yes
     state=yes
+
+- name: ensure sshd is configured for gitea
+  copy:
+    src: gitea.sshd_config
+    dest: /etc/ssh/sshd_config.d/80-gitea.conf
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  notify:
+  - reload sshd
+  tags:
+  - sshd-config