containers/citrine: fix forwarding

containers/citrine/configuration.nix

@@ -1,7 +1,7 @@
 { config, lib, ... }: {
   system.stateVersion = "25.11";
-  networking.firewall.allowedTCPPorts = [ 3000 ];
-  networking.firewall.allowedUDPPorts = [ 3000 ];
+  networking.firewall.allowedTCPPorts = [ 22 3000 ];
+  networking.firewall.allowedUDPPorts = [ 22 3000 ];
 
   systemd.tmpfiles.rules = [
     "L+ /persist/forgejo/custom/templates - - - - ${./templates}"
@@ -16,6 +16,9 @@
         DOMAIN = "garden.lava.moe";
         ROOT_URL = "https://garden.lava.moe/";
         HTTP_PORT = 3000;
+        START_SSH_SERVER = true;
+        BUILTIN_SSH_SERVER_USER = "git";
+        SSH_DOMAIN = "git.lava.moe";
       };
       ui = lib.mkForce {
         DEFAULT_THEME = "catppuccin-maroon-auto";
@@ -35,6 +38,12 @@
     stateDir = "/persist/forgejo";
   };
 
+  systemd.services.forgejo.serviceConfig = {
+    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+    CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+    PrivateUsers = lib.mkForce false;
+  };
+
   catppuccin.forgejo.enable = true;
 
   environment.systemPackages = [ config.services.forgejo.package ];