# Managed by Ansible — do not edit manually

Port {{ sshd_port }}
AddressFamily inet
ListenAddress 0.0.0.0

# Authentication
PermitRootLogin {{ sshd_permit_root_login }}
PasswordAuthentication {{ sshd_password_authentication }}
PubkeyAuthentication {{ sshd_pubkey_authentication }}
AuthorizedKeysFile .ssh/authorized_keys
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes

# Forwarding
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding {{ sshd_x11_forwarding }}
PrintMotd no

# Timeouts and limits
LoginGraceTime 30
MaxAuthTries {{ sshd_max_auth_tries }}
MaxSessions 5
ClientAliveInterval {{ sshd_client_alive_interval }}
ClientAliveCountMax {{ sshd_client_alive_count_max }}

# Subsystems
Subsystem sftp /usr/lib/openssh/sftp-server

# Only allow the deploy user
AllowUsers {{ deploy_user }}