Set up forgejo ssh

home/features/cli/ssh.nix

@@ -1,5 +1,9 @@
-{ config, ... }:
+{ pkgs, lib, ... }:
 {
   programs.ssh.enable = true;
   satellite.persistence.at.state.apps.ssh.directories = [ ".ssh" ];
+
+  # This allows me to push/pull to my forgejo server via SSH.
+  # See the docs for more details: https://developers.cloudflare.com/cloudflare-one/tutorials/gitlab/#configuring-ssh
+  programs.ssh.matchBlocks."ssh.git.moonythm.dev".proxyCommand = "${lib.getExe pkgs.cloudflared} access ssh --hostname %h";
 }

hosts/nixos/common/global/ports.nix

@@ -24,5 +24,6 @@
     jupyterhub = 8420;
     guacamole = 8421;
     syncthing = 8422;
+    forgejo-ssh = 8423;
   };
 }

hosts/nixos/lapetus/services/forgejo.nix

@@ -7,6 +7,10 @@
   };
 
   satellite.cloudflared.at.git.port = config.satellite.ports.forgejo;
+  satellite.cloudflared.at."ssh.git" = {
+    protocol = "ssh";
+    port = config.satellite.ports.forgejo-ssh;
+  };
 
   services.forgejo = {
     enable = true;
@@ -29,6 +33,8 @@
         HTTP_PORT = config.satellite.cloudflared.at.git.port;
         ROOT_URL = config.satellite.cloudflared.at.git.url;
         LANDING_PAGE = "prescientmoon"; # Make my profile the landing page
+        SSH_DOMAIN = config.satellite.cloudflared.at."ssh.git".host;
+        SSH_PORT = config.satellite.ports.forgejo-ssh;
       };
 
       cron.ENABLED = true;
@@ -45,9 +51,7 @@
       repository = {
         DISABLE_STARS = true;
         DISABLED_REPO_UNITS = "";
-        DEFAULT_REPO_UNITS = lib.strings.concatStringsSep "," [
+        DEFAULT_REPO_UNITS = lib.strings.concatStringsSep "," [ "repo.code" ];
-          "repo.code"
-        ];
       };
     };
   };

modules/nixos/cloudflared.nix

@@ -1,5 +1,6 @@
 { config, lib, ... }:
-let cfg = config.satellite.cloudflared;
+let
+  cfg = config.satellite.cloudflared;
 in
 {
   options.satellite.cloudflared = {
@@ -17,52 +18,74 @@ in
     at = lib.mkOption {
       description = "List of hosts to set up ingress rules for";
       default = { };
-      type = lib.types.attrsOf (lib.types.submodule ({ name, config, ... }: {
+      type = lib.types.attrsOf (
-        options = {
+        lib.types.submodule (
-          subdomain = lib.mkOption {
+          { name, config, ... }:
-            description = ''
+          {
-              Subdomain to use for host generation. 
+            options = {
-              Only required if `host` is not set manually.
+              subdomain = lib.mkOption {
-            '';
+                description = ''
-            type = lib.types.str;
+                  Subdomain to use for host generation.
-            default = name;
+                  Only required if `host` is not set manually.
-          };
+                '';
+                type = lib.types.str;
+                default = name;
+              };
 
-          port = lib.mkOption {
+              port = lib.mkOption {
-            description = "Localhost port to point the tunnel at";
+                description = "Localhost port to point the tunnel at";
-            type = lib.types.port;
+                type = lib.types.port;
-          };
+              };
 
-          host = lib.mkOption {
+              host = lib.mkOption {
-            description = "Host to direct traffic from";
+                description = "Host to direct traffic from";
-            type = lib.types.str;
+                type = lib.types.str;
-            default = "${config.subdomain}.${cfg.domain}";
+                default = "${config.subdomain}.${cfg.domain}";
-          };
+              };
 
-          url = lib.mkOption {
+              protocol = lib.mkOption {
-            description = "External https url used to access this host";
+                description = "The protocol to redirect traffic through";
-            type = lib.types.str;
+                type = lib.types.str;
-          };
+                default = "http";
-        };
+              };
 
-        config.url = "https://${config.host}";
+              url = lib.mkOption {
-      }));
+                description = "External https url used to access this host";
+                type = lib.types.str;
+              };
+            };
+
+            config.url = "https://${config.host}";
+          }
+        )
+      );
     };
   };
 
-  config.services.cloudflared.tunnels.${cfg.tunnel}.ingress = lib.attrsets.mapAttrs'
+  config.services.cloudflared.tunnels.${cfg.tunnel}.ingress = lib.attrsets.mapAttrs' (
-    (_: { port, host, ... }: {
+    _:
+    {
+      port,
+      host,
+      protocol,
+      ...
+    }:
+    {
       name = host;
-      value = "http://localhost:${toString port}";
+      value = "${protocol}://localhost:${toString port}";
-    })
+    }
-    cfg.at;
+  ) cfg.at;
 
   config.satellite.dns.records =
-    let mkDnsRecord = { subdomain, ... }: {
+    let
-      type = "CNAME";
+      mkDnsRecord =
-      at = subdomain;
+        { subdomain, ... }:
-      zone = cfg.domain;
+        {
-      value = "${cfg.tunnel}.cfargotunnel.com.";
+          type = "CNAME";
-    };
+          at = subdomain;
-    in lib.attrsets.mapAttrsToList (_: mkDnsRecord) cfg.at;
+          zone = cfg.domain;
+          value = "${cfg.tunnel}.cfargotunnel.com.";
+        };
+    in
+    lib.attrsets.mapAttrsToList (_: mkDnsRecord) cfg.at;
 }