try with forgejo git ssh port on 22

hosts/deployments.nix

@@ -7,10 +7,12 @@ let
   # Generate complete colmena host configs (imports + deployment)
   mkColmenaHosts = builtins.mapAttrs (name: cfg: {
     imports = inputs.self.nixosConfigurations.${name}._module.args.modules;
-    deployment = {
-      targetHost = hosts.${name} or null;
-      tags = cfg.tags;
-    };
+    deployment =
+      {
+        targetHost = hosts.${name} or null;
+        tags = cfg.tags;
+      }
+      // (if cfg ? colmenaSshPort then { targetPort = cfg.colmenaSshPort; } else { });
   }) hostDefs;
 
 in

hosts/forgejo/default.nix

@@ -56,6 +56,15 @@ in
     virtualisation.proxmox.enable = true;
   };
 
+  # Management SSH on 5022; port 22 is used by Forgejo built-in Git SSH
+  services.openssh.ports = [ 5022 ];
+
+  systemd.services.forgejo.serviceConfig = {
+    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+    CapabilityBoundingSet = lib.mkForce [ "CAP_NET_BIND_SERVICE" ];
+    PrivateUsers = lib.mkForce false;
+  };
+
   # Extra packages
   environment.systemPackages = with pkgs; [ ];
 

hosts/hosts.nix

@@ -76,6 +76,8 @@
 
   forgejo = {
     module = ./forgejo;
+    # Colmena SSH; must match services.openssh.ports on that host
+    colmenaSshPort = 5022;
     tags = [
       "lxc"
       "bacco"

modules/services/forgejo.nix

@@ -7,7 +7,7 @@
 let
   cfg = config.my.services.forgejo;
   httpPort = 3000;
-  sshPort = 2222;
+  sshPort = 22;
 in
 {