diff --git a/playbooks/aur-dev.archlinux.org.yml b/playbooks/aur-dev.archlinux.org.yml
index 569e0d0509a7588819ecb98e57be03d160da6246..adf4e69bac20bdd6648023438b12af91d959458a 100644
--- a/playbooks/aur-dev.archlinux.org.yml
+++ b/playbooks/aur-dev.archlinux.org.yml
@@ -6,7 +6,7 @@
   roles:
     - { role: common }
     - { role: tools }
-    - { role: sshd }
+    - { role: sshd, sshd_enable_includes: true }
     - { role: root_ssh }
     - { role: certbot }
     - { role: nginx }
diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml
index 19e220ae0f88f12a59ab6e55468f64b0a723df2b..cba246d667d33cc0fbc564d6964507b2488d6663 100644
--- a/roles/aurweb/tasks/main.yml
+++ b/roles/aurweb/tasks/main.yml
@@ -245,6 +245,6 @@
        - aurweb-tuvotereminder.timer
 
 - name: configure sshd
-  template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 validate='/usr/sbin/sshd -t -f %s'
+  template: src=aurweb_config.j2 dest={{ sshd_includes_dir }}/aurweb_config owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s'
   notify:
     - restart sshd
diff --git a/roles/aurweb/templates/aurweb_config.j2 b/roles/aurweb/templates/aurweb_config.j2
new file mode 100644
index 0000000000000000000000000000000000000000..371524a3b695f4b735ab973a55249485d6e8b966
--- /dev/null
+++ b/roles/aurweb/templates/aurweb_config.j2
@@ -0,0 +1,5 @@
+Match User {{ aurweb_user }}
+        PasswordAuthentication no
+        AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth "%t" "%k"
+        AuthorizedKeysCommandUser {{ aurweb_user }}
+        AcceptEnv AUR_OVERWRITE