prescientmoon/satellite
1
Fork 0
Code Activity

Only expose ssh access to forgejo over tailscale

Browse source
This commit is contained in:
prescientmoon 2024-11-14 14:05:18 +01:00
parent c954c32ae1
commit 195e66b2c7
Signed by: prescientmoon
SSH key fingerprint: SHA256:UUF9JT2s8Xfyv76b8ZuVL7XrmimH4o49p4b+iexbVH4
1 changed files with 12 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
hosts/nixos/lapetus/services/forgejo.nix
View file

@ -7,10 +7,17 @@
};
satellite.cloudflared.at.git.port = config.satellite.ports.forgejo;
satellite.cloudflared.at."ssh.git" = {
protocol = "ssh";
port = 22; # default ssh port
};
# Add CNAME record for ssh access. Unlike the http interface,
# this will only get exposed over tailscale, so it is safe.
satellite.dns.records = [
{
type = "CNAME";
zone = config.satellite.dns.domain;
at = "ssh.git";
to = config.networking.hostName;
}
];
services.forgejo = {
enable = true;
@ -29,11 +36,7 @@
HTTP_PORT = config.satellite.cloudflared.at.git.port;
ROOT_URL = config.satellite.cloudflared.at.git.url;
LANDING_PAGE = "prescientmoon"; # Make my profile the landing page
# START_SSH_SERVER = true;
# BUILTIN_SSH_SERVER_USER = "git";
# SSH_LISTEN_PORT = config.satellite.ports.forgejo-ssh;
SSH_DOMAIN = config.satellite.cloudflared.at."ssh.git".host;
SSH_DOMAIN = "ssh.${config.satellite.cloudflared.at.git.host}";
};
cron.ENABLED = true;