From ad1ea4a49ece553a330bb03791896843de1b8626 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Benjamin=20Yule=20B=C3=A4dorf?= <git@benjaminbaedorf.eu>
Date: Fri, 5 Apr 2024 15:02:39 +0200
Subject: [PATCH] forgejo: run internal ssh server on port 22

The system-wide SSH server was hidden behind a wireguard proxy for
security reasons, but since forgejo was using it, git pushes and pulls
got broken for people without wireguard access.

These config changes make sure forgejo starts its built-in SSH server
on port 22, which is then allowed to be accessed from the open internet
in the firewall config.
---
 hosts/nachtigall/apps/forgejo.nix | 4 ++++
 modules/networking.nix            | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/hosts/nachtigall/apps/forgejo.nix b/hosts/nachtigall/apps/forgejo.nix
index fdc941f..d6bb7e0 100644
--- a/hosts/nachtigall/apps/forgejo.nix
+++ b/hosts/nachtigall/apps/forgejo.nix
@@ -41,6 +41,9 @@
 
   users.groups.gitea = {};
 
+  # Expose SSH port only for forgejo SSH
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
   services.forgejo = {
     enable = true;
     user = "gitea";
@@ -63,6 +66,7 @@
         DOMAIN = "git.pub.solar";
         HTTP_ADDR = "127.0.0.1";
         HTTP_PORT = 3000;
+        START_SSH_SERVER = true;
       };
 
       log.LEVEL = "Warn";
diff --git a/modules/networking.nix b/modules/networking.nix
index 21242d3..9c81c1e 100644
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -1,10 +1,11 @@
 { pkgs, lib, ... }: {
   # Don't expose SSH via public interfaces
-  networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];
+  networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 2222 ];
 
   services.openssh = {
     enable = true;
     openFirewall = lib.mkDefault false;
+    ports = [ 2222 ];
     settings = {
       PermitRootLogin = "prohibit-password";
       PasswordAuthentication = false;