pub-solar/infra
6
1
Fork 3
Code Issues 27 Pull requests 10 Projects 1 Releases Packages Wiki Activity Actions

Compare commits

merge into: pub-solar:main
Branches Tags
pub-solar:main
pub-solar:updates-15-02
pub-solar:nextcloud-skeleton
pub-solar:feat/automated-account-deletion
pub-solar:keycloak-temp-file-del
pub-solar:feat/automated-account-deletion-24.11
pub-solar:matrix-rendezvous-server
pub-solar:ssl-cert-warning
pub-solar:feat/matrix-moderation-draupnir
pub-solar:nginx-maintenance
pub-solar:feat/matrix-moderation
pub-solar:fix/use-nix-firewall-nat-feature-for-forgejo-redirect
pub-solar:feat/loomio
pub-solar:feat/matrix-hookshot
pub-solar:feat/libreddit
pub-solar:feat/invidious
pinpox:ssl-cert-warning
pinpox:auto-modules
pinpox:add-nix-fmt-new
pinpox:add-nix-fmt
pinpox:simplify-caddy-vhosts
pinpox:simplify-caddy
pinpox:main
pinpox:feat/obs-portal-nachtigall
pinpox:fix/use-nix-firewall-nat-feature-for-forgejo-redirect
pinpox:fix/forgejo-ssh
pinpox:feat/loomio
pinpox:feat/matrix-moderation
pinpox:feat/matrix-hookshot
pinpox:feat/libreddit
pinpox:feat/invidious
...
pull from: pinpox:fix/forgejo-ssh
Branches Tags
pinpox:ssl-cert-warning
pinpox:auto-modules
pinpox:add-nix-fmt-new
pinpox:add-nix-fmt
pinpox:simplify-caddy-vhosts
pinpox:simplify-caddy
pinpox:main
pinpox:feat/obs-portal-nachtigall
pinpox:fix/use-nix-firewall-nat-feature-for-forgejo-redirect
pinpox:fix/forgejo-ssh
pinpox:feat/loomio
pinpox:feat/matrix-moderation
pinpox:feat/matrix-hookshot
pinpox:feat/libreddit
pinpox:feat/invidious
pub-solar:main
pub-solar:updates-15-02
pub-solar:nextcloud-skeleton
pub-solar:feat/automated-account-deletion
pub-solar:keycloak-temp-file-del
pub-solar:feat/automated-account-deletion-24.11
pub-solar:matrix-rendezvous-server
pub-solar:ssl-cert-warning
pub-solar:feat/matrix-moderation-draupnir
pub-solar:nginx-maintenance
pub-solar:feat/matrix-moderation
pub-solar:fix/use-nix-firewall-nat-feature-for-forgejo-redirect
pub-solar:feat/loomio
pub-solar:feat/matrix-hookshot
pub-solar:feat/libreddit
pub-solar:feat/invidious
Sign in to create a new pull request.

1 commit
main ... fix/forgej

Author SHA1 Message Date
Benjamin Yule Bädorf
ad1ea4a49e
forgejo: run internal ssh server on port 22
All checks were successful
Flake checks / Check (pull_request) Successful in 8m11s
Details 
The system-wide SSH server was hidden behind a wireguard proxy for
security reasons, but since forgejo was using it, git pushes and pulls
got broken for people without wireguard access.

These config changes make sure forgejo starts its built-in SSH server
on port 22, which is then allowed to be accessed from the open internet
in the firewall config.
 2024-04-05 15:05:28 +02:00
2 changed files with 6 additions and 1 deletions
Show stats Expand all files Collapse all files

4
hosts/nachtigall/apps/forgejo.nix
View file

@ -41,6 +41,9 @@
users.groups.gitea = {};
# Expose SSH port only for forgejo SSH
networking.firewall.allowedTCPPorts = [ 22 ];
services.forgejo = {
enable = true;
user = "gitea";
@ -63,6 +66,7 @@
DOMAIN = "git.pub.solar";
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 3000;
START_SSH_SERVER = true;
};
log.LEVEL = "Warn";

3
modules/networking.nix
View file

@ -1,10 +1,11 @@
{ pkgs, lib, ... }: {
# Don't expose SSH via public interfaces
networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];
networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 2222 ];
services.openssh = {
enable = true;
openFirewall = lib.mkDefault false;
ports = [ 2222 ];
settings = {
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;