forgejo: run internal ssh server on port 22

The system-wide SSH server was hidden behind a wireguard proxy for
security reasons, but since forgejo was using it, git pushes and pulls
got broken for people without wireguard access.

These config changes make sure forgejo starts its built-in SSH server
on port 22, which is then allowed to be accessed from the open internet
in the firewall config.
This commit is contained in:
Benjamin Yule Bädorf 2024-04-05 15:02:39 +02:00
parent 2851273d18
commit ad1ea4a49e
Signed by untrusted user: b12f
GPG key ID: 729956E1124F8F26
2 changed files with 6 additions and 1 deletions

View file

@ -41,6 +41,9 @@
users.groups.gitea = {}; users.groups.gitea = {};
# Expose SSH port only for forgejo SSH
networking.firewall.allowedTCPPorts = [ 22 ];
services.forgejo = { services.forgejo = {
enable = true; enable = true;
user = "gitea"; user = "gitea";
@ -63,6 +66,7 @@
DOMAIN = "git.pub.solar"; DOMAIN = "git.pub.solar";
HTTP_ADDR = "127.0.0.1"; HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 3000; HTTP_PORT = 3000;
START_SSH_SERVER = true;
}; };
log.LEVEL = "Warn"; log.LEVEL = "Warn";

View file

@ -1,10 +1,11 @@
{ pkgs, lib, ... }: { { pkgs, lib, ... }: {
# Don't expose SSH via public interfaces # Don't expose SSH via public interfaces
networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ]; networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 2222 ];
services.openssh = { services.openssh = {
enable = true; enable = true;
openFirewall = lib.mkDefault false; openFirewall = lib.mkDefault false;
ports = [ 2222 ];
settings = { settings = {
PermitRootLogin = "prohibit-password"; PermitRootLogin = "prohibit-password";
PasswordAuthentication = false; PasswordAuthentication = false;