feat: hardened forgejo git proxy

2026-04-13 11:22:53 -05:00 · 2026-04-13 11:22:53 -05:00 · 78f02a9e60
commit 78f02a9e60
parent 00e904cde9
1 changed files with 8 additions and 7 deletions
--- a/modules/nixos/programs/forgejo/ssh.nix
+++ b/modules/nixos/programs/forgejo/ssh.nix
@ -13,6 +13,13 @@

    separateUsers = gitUser != forgejoUser;

+    # Run the AuthorizedKeysCommand as the forgejo user when users differ,
+    # so it can read app.ini without adding git to the forgejo group.
+    keysCommandUser =
+      if separateUsers
+      then forgejoUser
+      else gitUser;
+
    forgejoKeysCmd = "FORGEJO_WORK_DIR=${stateDir} ${forgejoExe} keys -e git -u \"$1\" -t \"$2\" -k \"$3\"";

    # When the SSH user differs from the forgejo service user, rewrite
@ -31,9 +38,6 @@
  in {
    config = lib.mkIf config.services.forgejo.enable (lib.mkMerge [
      {
-        # sshd rejects connections for users with nologin shell before
-        # processing authorized_keys, so we need a valid shell even though
-        # the command= wrapper in Forgejo's keys prevents actual shell access.
        users.users.${gitUser}.shell = pkgs.bash;

        services.openssh.settings.AllowUsers = [gitUser];
@ -48,7 +52,7 @@

        services.openssh.extraConfig = ''
          Match User ${gitUser}
-            AuthorizedKeysCommandUser ${gitUser}
+            AuthorizedKeysCommandUser ${keysCommandUser}
            AuthorizedKeysCommand ${forgejoKeysPath} %u %t %k
            AuthenticationMethods publickey
            KbdInteractiveAuthentication no
@ -61,9 +65,6 @@
      }

      (lib.mkIf separateUsers {
-        # Give the git user read access to forgejo's config and data
-        users.groups.${config.services.forgejo.group}.members = [gitUser];
-
        # Allow the git user to run forgejo serv as the forgejo user
        security.sudo.extraRules = [
          {