From 79a8dda40fdc6637ae0ffdf2d128f9fcfc3ee944 Mon Sep 17 00:00:00 2001
From: Leyla Becker <git@jan-leila.com>
Date: Mon, 13 Apr 2026 10:09:11 -0500
Subject: [PATCH] fix: forgejo intranet ssh

---
 modules/hosts/home/git/default.nix         | 24 -----------
 modules/nixos/programs/forgejo/default.nix |  1 +
 modules/nixos/programs/forgejo/ssh.nix     | 49 ++++++++++++++++++++++
 modules/nixos/users.nix                    |  3 +-
 modules/parts.nix                          |  1 -
 5 files changed, 51 insertions(+), 27 deletions(-)
 delete mode 100644 modules/hosts/home/git/default.nix
 create mode 100644 modules/nixos/programs/forgejo/ssh.nix

diff --git a/modules/hosts/home/git/default.nix b/modules/hosts/home/git/default.nix
deleted file mode 100644
index b47b548..0000000
--- a/modules/hosts/home/git/default.nix
+++ /dev/null
@@ -1,24 +0,0 @@
-{...}: {
-  flake.homeModules.gitConfiguration = {osConfig, ...}: {
-    impermanence.fallbackPersistence.enable = false;
-
-    home = {
-      username = osConfig.users.users.git.name;
-      homeDirectory = osConfig.users.users.git.home;
-
-      # This value determines the Home Manager release that your configuration is
-      # compatible with. This helps avoid breakage when a new Home Manager release
-      # introduces backwards incompatible changes.
-      #
-      # You should not change this value, even if you update Home Manager. If you do
-      # want to update the value, then make sure to first check the Home Manager
-      # release notes.
-      stateVersion = "23.11"; # Please read the comment before changing.
-    };
-
-    programs.ssh.extraConfig = ''
-      AuthorizedKeysFile
-      /var/lib/forgejo/.ssh/authorized_keys
-    '';
-  };
-}
diff --git a/modules/nixos/programs/forgejo/default.nix b/modules/nixos/programs/forgejo/default.nix
index bbccaae..1ddc3fc 100644
--- a/modules/nixos/programs/forgejo/default.nix
+++ b/modules/nixos/programs/forgejo/default.nix
@@ -8,6 +8,7 @@ in {
       mod.forgejo-proxy
       mod.forgejo-fail2ban
       mod.forgejo-storage
+      mod.forgejo-ssh
     ];
   };
 }
diff --git a/modules/nixos/programs/forgejo/ssh.nix b/modules/nixos/programs/forgejo/ssh.nix
new file mode 100644
index 0000000..f2ea4b8
--- /dev/null
+++ b/modules/nixos/programs/forgejo/ssh.nix
@@ -0,0 +1,49 @@
+{...}: {
+  flake.nixosModules.forgejo-ssh = {
+    lib,
+    config,
+    pkgs,
+    ...
+  }: let
+    gitUser = config.services.forgejo.settings.server.BUILTIN_SSH_SERVER_USER;
+    forgejo = config.services.forgejo.package;
+    stateDir = config.services.forgejo.stateDir;
+
+    forgejoKeysScript = pkgs.writeShellScript "forgejo-keys" ''
+      FORGEJO_WORK_DIR=${stateDir} ${lib.getExe forgejo} keys -e git -u "$1" -t "$2" -k "$3"
+    '';
+
+    forgejoKeysPath = "/run/forgejo-keys";
+  in {
+    config = lib.mkIf config.services.forgejo.enable {
+      # sshd rejects connections for users with nologin shell before
+      # processing authorized_keys, so we need a valid shell even though
+      # the command= wrapper in Forgejo's keys prevents actual shell access.
+      users.users.${gitUser}.shell = pkgs.bash;
+      users.groups.${config.services.forgejo.group}.members = [gitUser];
+
+      services.openssh.settings.AllowUsers = [gitUser];
+
+      # Copy the key lookup script to a root-owned path outside /nix/store.
+      # sshd StrictModes requires AuthorizedKeysCommand and all parent dirs
+      # to be owned by root with no group/world writes. /nix/store and /etc
+      # symlinks both fail this check.
+      system.activationScripts.forgejo-ssh-keys = lib.stringAfter ["etc"] ''
+        install -m 0755 -o root -g root ${forgejoKeysScript} ${forgejoKeysPath}
+      '';
+
+      services.openssh.extraConfig = ''
+        Match User ${gitUser}
+          AuthorizedKeysCommandUser ${gitUser}
+          AuthorizedKeysCommand ${forgejoKeysPath} %u %t %k
+          AuthenticationMethods publickey
+          KbdInteractiveAuthentication no
+          PasswordAuthentication no
+          AllowAgentForwarding no
+          AllowTcpForwarding no
+          X11Forwarding no
+          PermitTTY no
+      '';
+    };
+  };
+}
diff --git a/modules/nixos/users.nix b/modules/nixos/users.nix
index 68231d4..1871fba 100644
--- a/modules/nixos/users.nix
+++ b/modules/nixos/users.nix
@@ -164,8 +164,7 @@
 
             git = {
               uid = lib.mkForce uids.git;
-              isSystemUser = !config.services.forgejo.enable;
-              isNormalUser = config.services.forgejo.enable;
+              isSystemUser = true;
               group = config.users.users.git.name;
             };
 
diff --git a/modules/parts.nix b/modules/parts.nix
index 2d4d680..e928985 100644
--- a/modules/parts.nix
+++ b/modules/parts.nix
@@ -60,7 +60,6 @@ in {
           home-manager.users = {
             leyla = lib.mkIf config.host.users.leyla.isNormalUser inputs.self.homeModules.leylaConfiguration;
             eve = lib.mkIf config.host.users.eve.isNormalUser inputs.self.homeModules.eveConfiguration;
-            git = lib.mkIf (config.services.forgejo.enable or false) inputs.self.homeModules.gitConfiguration;
           };
         })
       ];