2 changed files with 6 additions and 1 deletions
--- a/hosts/nachtigall/apps/forgejo.nix
+++ b/hosts/nachtigall/apps/forgejo.nix
@ -41,6 +41,9 @@

  users.groups.gitea = {};

+  # Expose SSH port only for forgejo SSH
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
  services.forgejo = {
    enable = true;
    user = "gitea";
@ -63,6 +66,7 @@
        DOMAIN = "git.pub.solar";
        HTTP_ADDR = "127.0.0.1";
        HTTP_PORT = 3000;
+        START_SSH_SERVER = true;
      };

      log.LEVEL = "Warn";
--- a/modules/networking.nix
+++ b/modules/networking.nix
@ -1,10 +1,11 @@
 { pkgs, lib, ... }: {
  # Don't expose SSH via public interfaces
-  networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];
+  networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 2222 ];

  services.openssh = {
    enable = true;
    openFirewall = lib.mkDefault false;
+    ports = [ 2222 ];
    settings = {
      PermitRootLogin = "prohibit-password";
      PasswordAuthentication = false;