From c6bdff8603e3beaf17fd87a3e3261ab68a12e0dc Mon Sep 17 00:00:00 2001
From: Leyla Becker <git@jan-leila.com>
Date: Thu, 20 Feb 2025 19:48:52 -0600
Subject: [PATCH] drafted up ssh config for forgejo

---
 configurations/nixos/horizon/configuration.nix |  8 ++++++++
 modules/nixos-modules/server/forgejo.nix       | 18 +++++++++++++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/configurations/nixos/horizon/configuration.nix b/configurations/nixos/horizon/configuration.nix
index ee32059..8638145 100644
--- a/configurations/nixos/horizon/configuration.nix
+++ b/configurations/nixos/horizon/configuration.nix
@@ -53,6 +53,14 @@
     };
   };
 
+  # networking.extraHosts = ''
+  #   # 192.168.1.204 jan-leila.com
+  #   192.168.1.204 media.jan-leila.com
+  #   # 192.168.1.204 drive.jan-leila.com
+  #   192.168.1.204 git.jan-leila.com
+  #   # 192.168.1.204 search.jan-leila.com
+  # '';
+
   # Enable touchpad support (enabled default in most desktopManager).
   # services.xserver.libinput.enable = true;
 
diff --git a/modules/nixos-modules/server/forgejo.nix b/modules/nixos-modules/server/forgejo.nix
index cba5313..db1549d6 100644
--- a/modules/nixos-modules/server/forgejo.nix
+++ b/modules/nixos-modules/server/forgejo.nix
@@ -5,6 +5,8 @@
 }: let
   forgejoPort = 8081;
   stateDir = "/var/lib/forgejo";
+  db_user = "forgejo";
+  sshPort = 2222;
 in {
   options.host.forgejo = {
     enable = lib.mkEnableOption "should forgejo be enabled on this computer";
@@ -24,7 +26,7 @@ in {
         postgres = {
           enable = true;
           extraUsers = {
-            forgejo = {
+            ${db_user} = {
               isClient = true;
             };
           };
@@ -42,12 +44,26 @@ in {
           server = {
             DOMAIN = "${config.host.forgejo.subdomain}.${config.host.reverse_proxy.hostname}";
             HTTP_PORT = forgejoPort;
+            START_SSH_SERVER = true;
+            SSH_LISTEN_PORT = sshPort;
+            SSH_PORT = 22;
+            # TODO: we need to create this user, and then store their authorized keys somewhere and have both ssh server allow login in as that user based on those authorized keys
+            BUILTIN_SSH_SERVER_USER = "git";
           };
           service = {
             DISABLE_REGISTRATION = true;
           };
+          database = {
+            DB_TYPE = "postgres";
+            NAME = db_user;
+            USER = db_user;
+          };
         };
       };
+
+      networking.firewall.allowedTCPPorts = [
+        config.services.forgejo.settings.server.SSH_LISTEN_PORT
+      ];
     }
     (lib.mkIf config.host.impermanence.enable {
       assertions = [