I have this:

repo dotfiles RW+CD @dev = @ben.boeckel RW refs/heads/master = @ben.boeckel repo priv/dotfiles RW+C refs/heads/non-public = @ben.boeckel RW+C refs/heads/$hostname = @ben.boeckel - = @all config gitolite-options.deny-repo = 1 config core.sharedRepository = 0700

Where the $hostname line is repeated for each host-specific branch I have. This effectively ensures that any non- dev/ branch (the @dev ) other than master is accessible is denied. The private repo is then locked down to just those branches.