feat: hardened forgejo git proxy

modules/nixos/programs/forgejo/ssh.nix

@@ -13,6 +13,13 @@
 
     separateUsers = gitUser != forgejoUser;
 
+    # Run the AuthorizedKeysCommand as the forgejo user when users differ,
+    # so it can read app.ini without adding git to the forgejo group.
+    keysCommandUser =
+      if separateUsers
+      then forgejoUser
+      else gitUser;
+
     forgejoKeysCmd = "FORGEJO_WORK_DIR=${stateDir} ${forgejoExe} keys -e git -u \"$1\" -t \"$2\" -k \"$3\"";
 
     # When the SSH user differs from the forgejo service user, rewrite
@@ -31,9 +38,6 @@
   in {
     config = lib.mkIf config.services.forgejo.enable (lib.mkMerge [
       {
-        # sshd rejects connections for users with nologin shell before
-        # processing authorized_keys, so we need a valid shell even though
-        # the command= wrapper in Forgejo's keys prevents actual shell access.
         users.users.${gitUser}.shell = pkgs.bash;
 
         services.openssh.settings.AllowUsers = [gitUser];
@@ -48,7 +52,7 @@
 
         services.openssh.extraConfig = ''
           Match User ${gitUser}
-            AuthorizedKeysCommandUser ${gitUser}
+            AuthorizedKeysCommandUser ${keysCommandUser}
             AuthorizedKeysCommand ${forgejoKeysPath} %u %t %k
             AuthenticationMethods publickey
             KbdInteractiveAuthentication no
@@ -61,9 +65,6 @@
       }
 
       (lib.mkIf separateUsers {
-        # Give the git user read access to forgejo's config and data
-        users.groups.${config.services.forgejo.group}.members = [gitUser];
-
         # Allow the git user to run forgejo serv as the forgejo user
         security.sudo.extraRules = [
           {