.

2026-02-15 15:51:28 -08:00 · 2026-02-15 15:51:28 -08:00 · 4f4302b7b7
commit 4f4302b7b7
parent cfb31d3b01
2 changed files with 35 additions and 1 deletions
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@ -1,7 +1,10 @@
 { ... }:

 {
-  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 3000 ];
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [
+    3000
+    2222
+  ];

  services.forgejo = {
    enable = true;
@ -11,6 +14,10 @@
      ROOT_URL = "https://forgejo.ellie.town/";
      HTTP_ADDR = "10.10.0.2";
      HTTP_PORT = 3000;
+      START_SSH_SERVER = true;
+      SSH_DOMAIN = "forgejo.ellie.town";
+      SSH_PORT = 2222;
+      SSH_LISTEN_PORT = 2222;
    };
  };
 }
--- a/services/wireguard-outer.nix
+++ b/services/wireguard-outer.nix
@ -9,6 +9,7 @@
  networking.firewall.allowedTCPPorts = [
    80
    443
+    2222
    6697
  ];
  networking.firewall.allowedUDPPorts = [ 51820 ];
@ -83,6 +84,8 @@
    };

    streamConfig = ''
+      log_format forgejo_ssh '$remote_addr [$time_local] $protocol $status';
+
      upstream ergo {
        server 10.10.0.2:6667;
      }
@ -92,6 +95,15 @@
        ssl_certificate_key /var/lib/acme/irc.ellie.town/key.pem;
        proxy_pass ergo;
      }
+
+      upstream forgejo_ssh {
+        server 10.10.0.2:2222;
+      }
+      server {
+        listen 2222;
+        proxy_pass forgejo_ssh;
+        access_log /var/log/nginx/forgejo-ssh.log forgejo_ssh;
+      }
    '';

    virtualHosts."ellie.town" = {
@ -109,6 +121,21 @@
    };
  };

+  environment.etc."fail2ban/filter.d/forgejo-ssh.conf".text = ''
+    [Definition]
+    failregex = ^<HOST> \[.+\] TCP \d+
+  '';
+
+  services.fail2ban.jails.forgejo-ssh.settings = {
+    enabled = true;
+    filter = "forgejo-ssh";
+    logpath = "/var/log/nginx/forgejo-ssh.log";
+    maxretry = 10;
+    findtime = 60;
+    bantime = "1h";
+    port = 2222;
+  };
+
  security.acme = {
    acceptTerms = true;
    defaults.email = "wizzeh@protonmail.com";