From c43c6c43a5e9491d514271d1ccfcc99f500df040 Mon Sep 17 00:00:00 2001
From: Ellie <6687206+wizzeh@users.noreply.github.com>
Date: Tue, 24 Feb 2026 16:57:52 -0800
Subject: [PATCH] fix forgejo crypto

---
 common.nix                   | 8 +++++++-
 services/forgejo.nix         | 4 +---
 services/wireguard-outer.nix | 2 +-
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/common.nix b/common.nix
index 26007c8..1f5cef1 100644
--- a/common.nix
+++ b/common.nix
@@ -24,8 +24,14 @@
       PasswordAuthentication = false;
       KbdInteractiveAuthentication = false;
       PermitRootLogin = "no";
-      AllowUsers = [ "ellie" ];
+      AllowUsers = [ "ellie" "forgejo" ];
     };
+    extraConfig = ''
+      Match User forgejo Address 10.10.0.1
+        AllowTcpForwarding no
+        X11Forwarding no
+        PermitTunnel no
+    '';
   };
 
   services.fail2ban = {
diff --git a/services/forgejo.nix b/services/forgejo.nix
index 1f07440..212756a 100644
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@@ -8,7 +8,6 @@
 
   networking.firewall.interfaces.wg0.allowedTCPPorts = [
     3000
-    2222
   ];
 
   services.forgejo = {
@@ -20,10 +19,9 @@
       ROOT_URL = "https://forgejo.ellie.town/";
       HTTP_ADDR = "10.10.0.2";
       HTTP_PORT = 3000;
-      START_SSH_SERVER = true;
+      START_SSH_SERVER = false;
       SSH_DOMAIN = "forgejo.ellie.town";
       SSH_PORT = 2222;
-      SSH_LISTEN_PORT = 2222;
     };
   };
 }
diff --git a/services/wireguard-outer.nix b/services/wireguard-outer.nix
index 3de261d..03957ec 100644
--- a/services/wireguard-outer.nix
+++ b/services/wireguard-outer.nix
@@ -97,7 +97,7 @@
       }
 
       upstream forgejo_ssh {
-        server 10.10.0.2:2222;
+        server 10.10.0.2:22;
       }
       server {
         listen 2222;