From ef016ac70af34810eb476eb6e3ce0d8934f6b792 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 12 Jun 2024 22:22:46 +0200 Subject: [PATCH] feat(webserver/forgejo): set up SSH --- nix/os/containers/webserver.nix | 19 ++++++++++++++++--- nix/os/devices/sj-srv1/system.nix | 1 + 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index 1fb6e17..31dd49b 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -2,8 +2,9 @@ specialArgs, hostAddress, localAddress, - httpPort ? 80, - httpsPort ? 443, + httpPort, + httpsPort, + forgejoSshPort, autoStart ? false, }: let domain = "www.stefanjunker.de"; @@ -36,6 +37,7 @@ in { networking.firewall.allowedTCPPorts = [ httpPort httpsPort + forgejoSshPort ]; sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; @@ -247,9 +249,13 @@ in { settings = { service.DISABLE_REGISTRATION = true; server.HTTP_ADDR = "127.0.0.1"; - server.DISABLE_SSH = true; + server.START_SSH_SERVER = true; + server.SSH_PORT = forgejoSshPort; server.ROOT_URL = "https://forgejo.${domain}"; server.HTTP_PORT = 3001; + + # TODO: how do i get a 3072 length SSH key with the yubikey? + "ssh.minimum_key_sizes".RSA = 2048; }; secrets = { oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path; @@ -318,6 +324,13 @@ in { hostPort = httpsPort; protocol = "tcp"; } + + { + # forgejo ssh + containerPort = forgejoSshPort; + hostPort = forgejoSshPort; + protocol = "tcp"; + } ]; inherit hostAddress localAddress; diff --git a/nix/os/devices/sj-srv1/system.nix b/nix/os/devices/sj-srv1/system.nix index 93f93d0..434cf27 100644 --- a/nix/os/devices/sj-srv1/system.nix +++ b/nix/os/devices/sj-srv1/system.nix @@ -101,6 +101,7 @@ httpPort = 80; httpsPort = 443; + forgejoSshPort = 2222; }; syncthing = import ../../containers/syncthing.nix {