# {{ ansible_managed }}
# Hardened SSH configuration for Performance West

Port {{ ssh_port }}
AddressFamily inet
ListenAddress 0.0.0.0

# Authentication
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
UsePAM yes

# Only allow the deploy user
AllowUsers {{ deploy_user }}

# Disable unused auth methods
GSSAPIAuthentication no
KerberosAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no

# Session settings
MaxAuthTries 3
MaxSessions 5
LoginGraceTime 30
ClientAliveInterval 300
ClientAliveCountMax 2

# Disable forwarding (not needed for this server)
AllowTcpForwarding no
X11Forwarding no
AllowAgentForwarding no

# Logging
SyslogFacility AUTH
LogLevel VERBOSE

# Misc
PrintMotd no
AcceptEnv LANG LC_*

# Use internal sftp
Subsystem sftp internal-sftp