forgejo: run internal ssh server on port 22

The system-wide SSH server was hidden behind a wireguard proxy for security reasons, but since forgejo was using it, git pushes and pulls got broken for people without wireguard access. These config changes make sure forgejo starts its built-in SSH server on port 22, which is then allowed to be accessed from the open internet in the firewall config.
2024-04-05 15:02:39 +02:00 · 2024-04-05 15:02:39 +02:00 · ad1ea4a49e
parent 2851273d18
commit ad1ea4a49e
2 changed files with 6 additions and 1 deletions
--- a/hosts/nachtigall/apps/forgejo.nix
+++ b/hosts/nachtigall/apps/forgejo.nix
@ -41,6 +41,9 @@
  users.groups.gitea = {};
  # Expose SSH port only for forgejo SSH
  networking.firewall.allowedTCPPorts = [ 22 ];
  services.forgejo = {
    enable = true;
    user = "gitea";
@ -63,6 +66,7 @@
        DOMAIN = "git.pub.solar";
        HTTP_ADDR = "127.0.0.1";
        HTTP_PORT = 3000;
        START_SSH_SERVER = true;
      };
      log.LEVEL = "Warn";
--- a/modules/networking.nix
+++ b/modules/networking.nix
@ -1,10 +1,11 @@
 { pkgs, lib, ... }: {
  # Don't expose SSH via public interfaces
-  networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];
+  networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 2222 ];
  services.openssh = {
    enable = true;
    openFirewall = lib.mkDefault false;
    ports = [ 2222 ];
    settings = {
      PermitRootLogin = "prohibit-password";
      PasswordAuthentication = false;