feat(webserver/forgejo): set up SSH

nix/os/containers/webserver.nix

@@ -2,8 +2,9 @@
   specialArgs,
   hostAddress,
   localAddress,
-  httpPort ? 80,
-  httpsPort ? 443,
+  httpPort,
+  httpsPort,
+  forgejoSshPort,
   autoStart ? false,
 }: let
   domain = "www.stefanjunker.de";
@@ -36,6 +37,7 @@ in {
     networking.firewall.allowedTCPPorts = [
       httpPort
       httpsPort
+      forgejoSshPort
     ];
 
     sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
@@ -247,9 +249,13 @@ in {
       settings = {
         service.DISABLE_REGISTRATION = true;
         server.HTTP_ADDR = "127.0.0.1";
-        server.DISABLE_SSH = true;
+        server.START_SSH_SERVER = true;
+        server.SSH_PORT = forgejoSshPort;
         server.ROOT_URL = "https://forgejo.${domain}";
         server.HTTP_PORT = 3001;
+
+        # TODO: how do i get a 3072 length SSH key with the yubikey?
+        "ssh.minimum_key_sizes".RSA = 2048;
       };
       secrets = {
         oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path;
@@ -318,6 +324,13 @@ in {
       hostPort = httpsPort;
       protocol = "tcp";
     }
+
+    {
+      # forgejo ssh
+      containerPort = forgejoSshPort;
+      hostPort = forgejoSshPort;
+      protocol = "tcp";
+    }
   ];
 
   inherit hostAddress localAddress;