From 27cf526c4760667e07ce6618194150294e3fee78 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Mon, 16 Mar 2026 16:07:08 +1100
Subject: [PATCH] containers/citrine: fix forwarding

---
 containers/citrine/configuration.nix | 13 +++++++++++--
 containers/citrine/flake.nix         | 10 ----------
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/containers/citrine/configuration.nix b/containers/citrine/configuration.nix
index fccb236..f84f8b6 100644
--- a/containers/citrine/configuration.nix
+++ b/containers/citrine/configuration.nix
@@ -1,7 +1,7 @@
 { config, lib, ... }: {
   system.stateVersion = "25.11";
-  networking.firewall.allowedTCPPorts = [ 3000 ];
-  networking.firewall.allowedUDPPorts = [ 3000 ];
+  networking.firewall.allowedTCPPorts = [ 22 3000 ];
+  networking.firewall.allowedUDPPorts = [ 22 3000 ];
 
   systemd.tmpfiles.rules = [
     "L+ /persist/forgejo/custom/templates - - - - ${./templates}"
@@ -16,6 +16,9 @@
         DOMAIN = "garden.lava.moe";
         ROOT_URL = "https://garden.lava.moe/";
         HTTP_PORT = 3000;
+        START_SSH_SERVER = true;
+        BUILTIN_SSH_SERVER_USER = "git";
+        SSH_DOMAIN = "git.lava.moe";
       };
       ui = lib.mkForce {
         DEFAULT_THEME = "catppuccin-maroon-auto";
@@ -35,6 +38,12 @@
     stateDir = "/persist/forgejo";
   };
 
+  systemd.services.forgejo.serviceConfig = {
+    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+    CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+    PrivateUsers = lib.mkForce false;
+  };
+
   catppuccin.forgejo.enable = true;
 
   environment.systemPackages = [ config.services.forgejo.package ];
diff --git a/containers/citrine/flake.nix b/containers/citrine/flake.nix
index 4326ff7..72ff573 100644
--- a/containers/citrine/flake.nix
+++ b/containers/citrine/flake.nix
@@ -18,16 +18,6 @@
       name = "citrine";
       subnet = "3";
     in {
-      # TODO: this is likely dandelion specific
-      networking.firewall.extraCommands = ''
-        ip6tables -t nat -A PREROUTING -d fd0d::1:1003 -p tcp --dport 22 -j DNAT --to-destination fd0d:1::${subnet}:2
-        ip6tables -t nat -A POSTROUTING -d fd0d:1::${subnet}:2 -p tcp --dport 22 -j SNAT --to-source fd0d::1:1003
-      '';
-      networking.firewall.extraStopCommands = ''
-        ip6tables -t nat -D PREROUTING -d fd0d::1:1003 -p tcp --dport 22 -j DNAT --to-destination fd0d:1::${subnet}:2 || true
-        ip6tables -t nat -D POSTROUTING -d fd0d:1::${subnet}:2 -p tcp --dport 22 -j SNAT --to-source fd0d::1:1003 || true
-      '';
-
       services.nginx.virtualHosts."garden.lava.moe" = {
         useACMEHost = "lava.moe";
         forceSSL = true;