bvm-forgejo: enable SSH server

2024-11-10 22:28:16 +00:00 · 2024-11-10 22:28:16 +00:00 · ad8bc97d0c
commit ad8bc97d0c
parent 2f786ed2da
1 changed files with 12 additions and 0 deletions
--- a/ops/nixos/bvm-forgejo/default.nix
+++ b/ops/nixos/bvm-forgejo/default.nix
@ -99,6 +99,11 @@ in {
      server = {
        DOMAIN = "git.lukegb.com";
        ROOT_URL = "https://git.lukegb.com/";
+
+        START_SSH_SERVER = true;
+        BUILTIN_SSH_SERVER_USER = "git";
+        SSH_TRUSTED_USER_CA_KEYS = builtins.readFile ../../secrets/client-ca.pub;
+        SSH_AUTHORIZED_PRINCIPALS_ALLOW = "username";
      };
      session = {
        COOKIE_SECURE = true;
@ -134,6 +139,13 @@ in {
      log.LEVEL = "Trace";
    };
  };
+  systemd.services.forgejo.serviceConfig = {
+    PrivateUsers = lib.mkForce false;
+
+    # Allow forgejo to bind port 22.
+    AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+    CapabilityBoundingSet = lib.mkForce "CAP_NET_BIND_SERVICE";
+  };

  system.stateVersion = "24.11";
 }