From 195e66b2c76e798c600549f91c891e3bef5d5947 Mon Sep 17 00:00:00 2001 From: prescientmoon Date: Thu, 14 Nov 2024 14:05:18 +0100 Subject: [PATCH] Only expose ssh access to forgejo over tailscale --- hosts/nixos/lapetus/services/forgejo.nix | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/hosts/nixos/lapetus/services/forgejo.nix b/hosts/nixos/lapetus/services/forgejo.nix index 8d3dc81..f03fd04 100644 --- a/hosts/nixos/lapetus/services/forgejo.nix +++ b/hosts/nixos/lapetus/services/forgejo.nix @@ -7,10 +7,17 @@ }; satellite.cloudflared.at.git.port = config.satellite.ports.forgejo; - satellite.cloudflared.at."ssh.git" = { - protocol = "ssh"; - port = 22; # default ssh port - }; + + # Add CNAME record for ssh access. Unlike the http interface, + # this will only get exposed over tailscale, so it is safe. + satellite.dns.records = [ + { + type = "CNAME"; + zone = config.satellite.dns.domain; + at = "ssh.git"; + to = config.networking.hostName; + } + ]; services.forgejo = { enable = true; @@ -29,11 +36,7 @@ HTTP_PORT = config.satellite.cloudflared.at.git.port; ROOT_URL = config.satellite.cloudflared.at.git.url; LANDING_PAGE = "prescientmoon"; # Make my profile the landing page - - # START_SSH_SERVER = true; - # BUILTIN_SSH_SERVER_USER = "git"; - # SSH_LISTEN_PORT = config.satellite.ports.forgejo-ssh; - SSH_DOMAIN = config.satellite.cloudflared.at."ssh.git".host; + SSH_DOMAIN = "ssh.${config.satellite.cloudflared.at.git.host}"; }; cron.ENABLED = true;