fix: forgejo intranet ssh

modules/hosts/home/git/default.nix

@@ -1,24 +0,0 @@
-{...}: {
-  flake.homeModules.gitConfiguration = {osConfig, ...}: {
-    impermanence.fallbackPersistence.enable = false;
-
-    home = {
-      username = osConfig.users.users.git.name;
-      homeDirectory = osConfig.users.users.git.home;
-
-      # This value determines the Home Manager release that your configuration is
-      # compatible with. This helps avoid breakage when a new Home Manager release
-      # introduces backwards incompatible changes.
-      #
-      # You should not change this value, even if you update Home Manager. If you do
-      # want to update the value, then make sure to first check the Home Manager
-      # release notes.
-      stateVersion = "23.11"; # Please read the comment before changing.
-    };
-
-    programs.ssh.extraConfig = ''
-      AuthorizedKeysFile
-      /var/lib/forgejo/.ssh/authorized_keys
-    '';
-  };
-}

modules/nixos/programs/forgejo/default.nix

@@ -8,6 +8,7 @@ in {
       mod.forgejo-proxy
       mod.forgejo-fail2ban
       mod.forgejo-storage
+      mod.forgejo-ssh
     ];
   };
 }

modules/nixos/programs/forgejo/ssh.nix

@@ -0,0 +1,49 @@
+{...}: {
+  flake.nixosModules.forgejo-ssh = {
+    lib,
+    config,
+    pkgs,
+    ...
+  }: let
+    gitUser = config.services.forgejo.settings.server.BUILTIN_SSH_SERVER_USER;
+    forgejo = config.services.forgejo.package;
+    stateDir = config.services.forgejo.stateDir;
+
+    forgejoKeysScript = pkgs.writeShellScript "forgejo-keys" ''
+      FORGEJO_WORK_DIR=${stateDir} ${lib.getExe forgejo} keys -e git -u "$1" -t "$2" -k "$3"
+    '';
+
+    forgejoKeysPath = "/run/forgejo-keys";
+  in {
+    config = lib.mkIf config.services.forgejo.enable {
+      # sshd rejects connections for users with nologin shell before
+      # processing authorized_keys, so we need a valid shell even though
+      # the command= wrapper in Forgejo's keys prevents actual shell access.
+      users.users.${gitUser}.shell = pkgs.bash;
+      users.groups.${config.services.forgejo.group}.members = [gitUser];
+
+      services.openssh.settings.AllowUsers = [gitUser];
+
+      # Copy the key lookup script to a root-owned path outside /nix/store.
+      # sshd StrictModes requires AuthorizedKeysCommand and all parent dirs
+      # to be owned by root with no group/world writes. /nix/store and /etc
+      # symlinks both fail this check.
+      system.activationScripts.forgejo-ssh-keys = lib.stringAfter ["etc"] ''
+        install -m 0755 -o root -g root ${forgejoKeysScript} ${forgejoKeysPath}
+      '';
+
+      services.openssh.extraConfig = ''
+        Match User ${gitUser}
+          AuthorizedKeysCommandUser ${gitUser}
+          AuthorizedKeysCommand ${forgejoKeysPath} %u %t %k
+          AuthenticationMethods publickey
+          KbdInteractiveAuthentication no
+          PasswordAuthentication no
+          AllowAgentForwarding no
+          AllowTcpForwarding no
+          X11Forwarding no
+          PermitTTY no
+      '';
+    };
+  };
+}

modules/nixos/users.nix

@@ -164,8 +164,7 @@
 
             git = {
               uid = lib.mkForce uids.git;
-              isSystemUser = !config.services.forgejo.enable;
+              isSystemUser = true;
-              isNormalUser = config.services.forgejo.enable;
               group = config.users.users.git.name;
             };
 

modules/parts.nix

@@ -60,7 +60,6 @@ in {
           home-manager.users = {
             leyla = lib.mkIf config.host.users.leyla.isNormalUser inputs.self.homeModules.leylaConfiguration;
             eve = lib.mkIf config.host.users.eve.isNormalUser inputs.self.homeModules.eveConfiguration;
-            git = lib.mkIf (config.services.forgejo.enable or false) inputs.self.homeModules.gitConfiguration;
           };
         })
       ];