From a67d75e196d8f9cf4032ac0f8f9da02b8a845fc3 Mon Sep 17 00:00:00 2001
From: pazpi <davide@pasetto.me>
Date: Tue, 14 Apr 2026 16:47:58 +0200
Subject: [PATCH] try with forgejo git ssh port on 22

---
 hosts/deployments.nix        | 10 ++++++----
 hosts/forgejo/default.nix    |  9 +++++++++
 hosts/hosts.nix              |  2 ++
 modules/services/forgejo.nix |  2 +-
 4 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/hosts/deployments.nix b/hosts/deployments.nix
index 57d49e0..9eccfb3 100644
--- a/hosts/deployments.nix
+++ b/hosts/deployments.nix
@@ -7,10 +7,12 @@ let
   # Generate complete colmena host configs (imports + deployment)
   mkColmenaHosts = builtins.mapAttrs (name: cfg: {
     imports = inputs.self.nixosConfigurations.${name}._module.args.modules;
-    deployment = {
-      targetHost = hosts.${name} or null;
-      tags = cfg.tags;
-    };
+    deployment =
+      {
+        targetHost = hosts.${name} or null;
+        tags = cfg.tags;
+      }
+      // (if cfg ? colmenaSshPort then { targetPort = cfg.colmenaSshPort; } else { });
   }) hostDefs;
 
 in
diff --git a/hosts/forgejo/default.nix b/hosts/forgejo/default.nix
index f878c7e..da846bb 100644
--- a/hosts/forgejo/default.nix
+++ b/hosts/forgejo/default.nix
@@ -56,6 +56,15 @@ in
     virtualisation.proxmox.enable = true;
   };
 
+  # Management SSH on 5022; port 22 is used by Forgejo built-in Git SSH
+  services.openssh.ports = [ 5022 ];
+
+  systemd.services.forgejo.serviceConfig = {
+    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+    CapabilityBoundingSet = lib.mkForce [ "CAP_NET_BIND_SERVICE" ];
+    PrivateUsers = lib.mkForce false;
+  };
+
   # Extra packages
   environment.systemPackages = with pkgs; [ ];
 
diff --git a/hosts/hosts.nix b/hosts/hosts.nix
index ea144b4..a124b37 100644
--- a/hosts/hosts.nix
+++ b/hosts/hosts.nix
@@ -76,6 +76,8 @@
 
   forgejo = {
     module = ./forgejo;
+    # Colmena SSH; must match services.openssh.ports on that host
+    colmenaSshPort = 5022;
     tags = [
       "lxc"
       "bacco"
diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix
index 6dcbaed..43ac4d7 100644
--- a/modules/services/forgejo.nix
+++ b/modules/services/forgejo.nix
@@ -7,7 +7,7 @@
 let
   cfg = config.my.services.forgejo;
   httpPort = 3000;
-  sshPort = 2222;
+  sshPort = 22;
 in
 {