{ config, pkgs, ... }:

{
  services.openssh = {
    enable = true;
    permitRootLogin = "prohibit-password";
    extraConfig = ''
      Match User gitea
        AllowAgentForwarding no
        AllowTcpForwarding no
        PermitTTY no
        X11Forwarding no
    '';
  };
}