forked from pub-solar/infra
forgejo: run internal ssh server on port 22
The system-wide SSH server was hidden behind a wireguard proxy for security reasons, but since forgejo was using it, git pushes and pulls got broken for people without wireguard access. These config changes make sure forgejo starts its built-in SSH server on port 22, which is then allowed to be accessed from the open internet in the firewall config.
This commit is contained in:
parent
2851273d18
commit
ad1ea4a49e
|
@ -41,6 +41,9 @@
|
||||||
|
|
||||||
users.groups.gitea = {};
|
users.groups.gitea = {};
|
||||||
|
|
||||||
|
# Expose SSH port only for forgejo SSH
|
||||||
|
networking.firewall.allowedTCPPorts = [ 22 ];
|
||||||
|
|
||||||
services.forgejo = {
|
services.forgejo = {
|
||||||
enable = true;
|
enable = true;
|
||||||
user = "gitea";
|
user = "gitea";
|
||||||
|
@ -63,6 +66,7 @@
|
||||||
DOMAIN = "git.pub.solar";
|
DOMAIN = "git.pub.solar";
|
||||||
HTTP_ADDR = "127.0.0.1";
|
HTTP_ADDR = "127.0.0.1";
|
||||||
HTTP_PORT = 3000;
|
HTTP_PORT = 3000;
|
||||||
|
START_SSH_SERVER = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
log.LEVEL = "Warn";
|
log.LEVEL = "Warn";
|
||||||
|
|
|
@ -1,10 +1,11 @@
|
||||||
{ pkgs, lib, ... }: {
|
{ pkgs, lib, ... }: {
|
||||||
# Don't expose SSH via public interfaces
|
# Don't expose SSH via public interfaces
|
||||||
networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];
|
networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 2222 ];
|
||||||
|
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
openFirewall = lib.mkDefault false;
|
openFirewall = lib.mkDefault false;
|
||||||
|
ports = [ 2222 ];
|
||||||
settings = {
|
settings = {
|
||||||
PermitRootLogin = "prohibit-password";
|
PermitRootLogin = "prohibit-password";
|
||||||
PasswordAuthentication = false;
|
PasswordAuthentication = false;
|
||||||
|
|
Loading…
Reference in a new issue