diff --git a/ops/nixos/bvm-forgejo/default.nix b/ops/nixos/bvm-forgejo/default.nix index d3ab29ab22..55d3b4adf8 100644 --- a/ops/nixos/bvm-forgejo/default.nix +++ b/ops/nixos/bvm-forgejo/default.nix @@ -99,6 +99,11 @@ in { server = { DOMAIN = "git.lukegb.com"; ROOT_URL = "https://git.lukegb.com/"; + + START_SSH_SERVER = true; + BUILTIN_SSH_SERVER_USER = "git"; + SSH_TRUSTED_USER_CA_KEYS = builtins.readFile ../../secrets/client-ca.pub; + SSH_AUTHORIZED_PRINCIPALS_ALLOW = "username"; }; session = { COOKIE_SECURE = true; @@ -134,6 +139,13 @@ in { log.LEVEL = "Trace"; }; }; + systemd.services.forgejo.serviceConfig = { + PrivateUsers = lib.mkForce false; + + # Allow forgejo to bind port 22. + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + CapabilityBoundingSet = lib.mkForce "CAP_NET_BIND_SERVICE"; + }; system.stateVersion = "24.11"; }