.

services/forgejo.nix

@@ -1,7 +1,10 @@
 { ... }:
 
 {
-  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 3000 ];
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [
+    3000
+    2222
+  ];
 
   services.forgejo = {
     enable = true;
@@ -11,6 +14,10 @@
       ROOT_URL = "https://forgejo.ellie.town/";
       HTTP_ADDR = "10.10.0.2";
       HTTP_PORT = 3000;
+      START_SSH_SERVER = true;
+      SSH_DOMAIN = "forgejo.ellie.town";
+      SSH_PORT = 2222;
+      SSH_LISTEN_PORT = 2222;
     };
   };
 }

services/wireguard-outer.nix

@@ -9,6 +9,7 @@
   networking.firewall.allowedTCPPorts = [
     80
     443
+    2222
     6697
   ];
   networking.firewall.allowedUDPPorts = [ 51820 ];
@@ -83,6 +84,8 @@
     };
 
     streamConfig = ''
+      log_format forgejo_ssh '$remote_addr [$time_local] $protocol $status';
+
       upstream ergo {
         server 10.10.0.2:6667;
       }
@@ -92,6 +95,15 @@
         ssl_certificate_key /var/lib/acme/irc.ellie.town/key.pem;
         proxy_pass ergo;
       }
+
+      upstream forgejo_ssh {
+        server 10.10.0.2:2222;
+      }
+      server {
+        listen 2222;
+        proxy_pass forgejo_ssh;
+        access_log /var/log/nginx/forgejo-ssh.log forgejo_ssh;
+      }
     '';
 
     virtualHosts."ellie.town" = {
@@ -109,6 +121,21 @@
     };
   };
 
+  environment.etc."fail2ban/filter.d/forgejo-ssh.conf".text = ''
+    [Definition]
+    failregex = ^<HOST> \[.+\] TCP \d+
+  '';
+
+  services.fail2ban.jails.forgejo-ssh.settings = {
+    enabled = true;
+    filter = "forgejo-ssh";
+    logpath = "/var/log/nginx/forgejo-ssh.log";
+    maxretry = 10;
+    findtime = 60;
+    bantime = "1h";
+    port = 2222;
+  };
+
   security.acme = {
     acceptTerms = true;
     defaults.email = "wizzeh@protonmail.com";