Initial commit, squashed

roles/firewall/files/sshd_config.friwall

@@ -0,0 +1,15 @@
+# This is used by sshd in default VRF to receive configuration updates. Lock
+# down to only allow executing the update script.
+
+# Only allow pubkey auth.
+KbdInteractiveAuthentication no
+PasswordAuthentication no
+PermitRootLogin prohibit-password
+
+# Disable what we can.
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no
+
+# And then disable everything else.
+ForceCommand /usr/local/bin/update