This is not much different from the offical diffusion doc. Let us start from https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/#configuring-system-user

We will create the vcs-user first, called git.

sudo adduser --system --shell /bin/sh --gecos 'git version control user' --group --disabled-password --home /home/git git

Next, since we plan to use ssh, we will allow our git user to be access only a limited number of binaries over the network, so add the following to /etc/sudoers with visudo:

git ALL=(daemon-user) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack

I have edited the git binaries' paths to the standard paths in the debian ecosystem, please edit them if yours are different. Also remember to edit the daemon-user value.

Next, complete the rest of the part from that section in the official docs. After that...

...coming to https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/#configuring-ssh

Here, we entirely skip the first two steps described, and just follow the third one.

Copy phabricator/resources/sshd/phabricator-ssh-hook.sh to /usr/share/phabricator-ssh-hook.sh, and edit it to match your system config.

Then edit the permissions as described:

sudo chown root /usr/share/phabricator-ssh-hook.sh
sudo chmod 755 /usr/share/phabricator-ssh-hook.sh

Next follow the rest of that section, but in the file /etc/sshd_config.phabricator, set the port to whatever port you want, I chose 240, and you are almost done.

Now the most important key of the recipe is setting the correct options with phabricator/bin/config. We let it know the correct port, and the user via this:

./bin/config set diffusion.ssh-user git
./bin/config set diffusion.ssh-port 240

If you chose a port different from 240, use that instead.

No restart is required with this, and things should work just fine :) If you restart your server ever, the phabricator ssh daemon won't autostart, so add it to /etc/rcinit as well.