forgejo: run internal ssh server on port 22

The system-wide SSH server was hidden behind a wireguard proxy for security reasons, but since forgejo was using it, git pushes and pulls got broken for people without wireguard access. These config changes make sure forgejo starts its built-in SSH server on port 22, which is then allowed to be accessed from the open internet in the firewall config.
2024-04-05 15:05:28 +02:00
2 changed files with 6 additions and 1 deletions
--- a/hosts/nachtigall/apps/forgejo.nix
+++ b/hosts/nachtigall/apps/forgejo.nix
@ -41,6 +41,9 @@

  users.groups.gitea = {};

+  # Expose SSH port only for forgejo SSH
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
  services.forgejo = {
    enable = true;
    user = "gitea";
@ -63,6 +66,7 @@
        DOMAIN = "git.pub.solar";
        HTTP_ADDR = "127.0.0.1";
        HTTP_PORT = 3000;
+        START_SSH_SERVER = true;
      };

      log.LEVEL = "Warn";
--- a/modules/networking.nix
+++ b/modules/networking.nix
@ -1,10 +1,11 @@
 { pkgs, lib, ... }: {
  # Don't expose SSH via public interfaces
-  networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];
+  networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 2222 ];

  services.openssh = {
    enable = true;
    openFirewall = lib.mkDefault false;
+    ports = [ 2222 ];
    settings = {
      PermitRootLogin = "prohibit-password";
      PasswordAuthentication = false;