Optimize SSH connection performance by disabling GSSAPI authentication and reverse DNS lookups

- Added 'GSSAPIAuthentication no' to prevent unnecessary Kerberos negotiation delays.
- Added 'UseDNS no' to skip reverse DNS resolution during SSH login, improving connection speed.
- Both changes improve SSH responsiveness, especially in non-domain environments.

Reference: https://chatgpt.com/share/68efc179-1a10-800f-9656-1e8731b40546

ansible.cfg

@@ -1,5 +1,6 @@
 [defaults]
 # --- Performance & Behavior ---
+pipelining = True
 forks = 25
 strategy = linear
 gathering = smart
@@ -14,19 +15,14 @@ stdout_callback = yaml
 callbacks_enabled = profile_tasks,timer
 
 # --- Plugin paths ---
-filter_plugins = ./filter_plugins
+filter_plugins  = ./filter_plugins
 lookup_plugins  = ./lookup_plugins
 module_utils    = ./module_utils
 
 [ssh_connection]
-# Multiplexing: safer socket path in HOME instead of /tmp
+ssh_args = -o ControlMaster=auto -o ControlPersist=20s -o ControlPath=~/.ssh/ansible-%h-%p-%r -o ServerAliveInterval=15 -o ServerAliveCountMax=3 -o StrictHostKeyChecking=accept-new -o PreferredAuthentications=publickey,password,keyboard-interactive
-ssh_args = -o ControlMaster=auto -o ControlPersist=20s -o ControlPath=~/.ssh/ansible-%h-%p-%r \
-           -o ServerAliveInterval=15 -o ServerAliveCountMax=3 -o StrictHostKeyChecking=accept-new \
-           -o PreferredAuthentications=publickey,password,keyboard-interactive
-
-# Pipelining boosts speed; works fine if sudoers does not enforce "requiretty"
 pipelining = True
-scp_if_ssh = smart
+transfer_method = smart
 
 [persistent_connection]
 connect_timeout = 30

roles/sys-svc-sshd/templates/sshd_config.j2

@@ -68,7 +68,12 @@ ChallengeResponseAuthentication no
 #KerberosGetAFSToken no
 
 # GSSAPI options
-#GSSAPIAuthentication no
+# Disable GSSAPI (Kerberos) authentication to avoid unnecessary negotiation delays.
+# This setting is useful for non-domain environments where GSSAPI is not used,
+# improving SSH connection startup time and reducing overhead.
+# See: https://chatgpt.com/share/68efc179-1a10-800f-9656-1e8731b40546
+GSSAPIAuthentication no
+
 #GSSAPICleanupCredentials yes
 
 # Set this to 'yes' to enable PAM authentication, account processing,
@@ -97,7 +102,13 @@ PrintMotd no # pam does that
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
-#UseDNS no
+
+# Disable reverse DNS lookups to speed up SSH logins.
+# When UseDNS is enabled, sshd performs a reverse DNS lookup for each connecting client,
+# which can significantly delay authentication if DNS resolution is slow or misconfigured.
+# See: https://chatgpt.com/share/68efc179-1a10-800f-9656-1e8731b40546
+UseDNS no
+
 #PidFile /run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no

roles/web-app-gitea/templates/env.j2

@@ -70,7 +70,7 @@ GITEA__security__INSTALL_LOCK=true # Locks the installation page
 GITEA__openid__ENABLE_OPENID_SIGNUP={{ applications | get_app_conf(application_id, 'features.oidc', False) | lower }}
 GITEA__openid__ENABLE_OPENID_SIGNIN={{ applications | get_app_conf(application_id, 'features.oidc', False) | lower }}
 
-{% if applications | get_app_conf(application_id, 'features.oidc', False) or applications | get_app_conf(application_id, 'features.ldap', False) %}
+{% if GITEA_IAM_ENABLED | bool %}
 
 EXTERNAL_USER_DISABLE_FEATURES=deletion,manage_credentials,change_username,change_full_name
 
@@ -80,9 +80,5 @@ GITEA__ldap__SYNC_USER_ON_LOGIN=true
 
 {% endif %}
 
-# ------------------------------------------------
+GITEA__service__DISABLE_REGISTRATION={{ GITEA_IAM_ENABLED | lower }}
-# Disable user self-registration
-# ------------------------------------------------
-# After this only admins can create accounts
-GITEA__service__DISABLE_REGISTRATION=false
 

roles/web-app-gitea/vars/main.yml

@@ -32,3 +32,5 @@ GITEA_CONFIG:         "/data/gitea/conf/app.ini"
 ## Redis
 GITEA_REDIS_ENABLED:  "{{ applications | get_app_conf(application_id, 'docker.services.redis.enabled') }}"
 GITEA_REDIS_ADDRESS:  "redis:6379"
+
+GITEA_IAM_ENABLED:    "{{ applications | get_app_conf(application_id, 'features.oidc', False) or applications | get_app_conf(application_id, 'features.ldap', False) }}"

tasks/stages/01_constructor.yml

@@ -121,7 +121,7 @@
   when: MODE_UPDATE | bool
 
 - name: "Ensure correct timezone is '{{ HOST_TIMEZONE }}'"
-  ansible.builtin.timezone:
+  community.general.timezone:
     name: "{{ HOST_TIMEZONE }}"
 
 - name: "Load base roles"