feat(gogs): expose SSH-clone via git.tammena.me

2023-11-13 12:25:22 +01:00 · 2023-11-13 12:25:22 +01:00 · a358103a43
parent addfd6453d
commit a358103a43
2 changed files with 20 additions and 4 deletions
--- a/hosts/faunus-ater.nix
+++ b/hosts/faunus-ater.nix
@ -70,6 +70,9 @@ in {
        [auth]
        DISABLE_REGISTRATION = true
        SHOW_REGISTRATION_BUTTON = false
+
+        [server]
+        SSH_PORT = 22222
      '';
    };
    services.nginx.virtualHosts."git.home" = mkVirtHost "git-home" {
@ -408,8 +411,8 @@ in {

    # All services that run here, that should be exposed need to be exposed on the VPN
    networking.firewall.interfaces.${config.services.tailscale.interfaceName}.allowedTCPPorts = let
-      selectPort = name: config: config.port;
-      filterRunningHereAndExposed = lib.attrsets.filterAttrs (name: conf: conf.host == config.networking.hostName && conf ? external && conf.external);
+      selectPort = _: config: config.port;
+      filterRunningHereAndExposed = lib.attrsets.filterAttrs (_: conf: conf.host == config.networking.hostName && conf ? external && conf.external);
    in
      lib.attrsets.mapAttrsToList selectPort (filterRunningHereAndExposed config.state.services);

--- a/hosts/granodomus-lima.nix
+++ b/hosts/granodomus-lima.nix
@ -4,6 +4,7 @@
  config,
  ...
 }: let
+  state = builtins.import ../state.nix;
  mkVirtHost = lib.attrsets.recursiveUpdate {
    forceSSL = true;
    enableACME = true;
@ -45,7 +46,7 @@ in {
    services.radicaleWithInfcloud.enable = true;

    services.nginx.virtualHosts = let
-      services = (builtins.import ../state.nix).services;
+      services = state.services;
      removeUnexposed = lib.attrsets.filterAttrs (_: config: config ? "external" && config.external);
      createVirtHost = name: config: {
        name = "${name}.tammena.me";
@ -58,6 +59,18 @@ in {
      };
    in
      lib.mapAttrs' createVirtHost (removeUnexposed services);
+    services.nginx.appendConfig = ''
+      stream {
+        upstream ssh {
+          server ${state.services.git.host}:22;
+        }
+        server {
+          listen 22222;
+          # server_name  git.tammena.me;
+          proxy_pass ssh;
+        }
+      }
+    '';

    sops.secrets =
      lib.mapAttrs' (name: _: {
@ -118,7 +131,7 @@ in {
        '';
      };
    };
-    networking.firewall.allowedTCPPorts = [53];
+    networking.firewall.allowedTCPPorts = [53 22222];
    networking.firewall.allowedUDPPorts = [53];

    # This value determines the NixOS release from which the default