cilly/flakes
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

containers/citrine: fix forwarding

Browse source
This commit is contained in:
Cilly Leang 2026-03-16 16:07:08 +11:00
parent 49c161e8ab
commit 27cf526c47
Signed by: cilly
GPG key ID: 6500251E087653C9
2 changed files with 11 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

13
containers/citrine/configuration.nix
View file

@ -1,7 +1,7 @@
{ config, lib, ... }: { { config, lib, ... }: {
system.stateVersion = "25.11"; system.stateVersion = "25.11";
networking.firewall.allowedTCPPorts = [ 3000 ]; networking.firewall.allowedTCPPorts = [ 22 3000 ];
networking.firewall.allowedUDPPorts = [ 3000 ]; networking.firewall.allowedUDPPorts = [ 22 3000 ];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"L+ /persist/forgejo/custom/templates - - - - ${./templates}" "L+ /persist/forgejo/custom/templates - - - - ${./templates}"
@ -16,6 +16,9 @@
DOMAIN = "garden.lava.moe"; DOMAIN = "garden.lava.moe";
ROOT_URL = "https://garden.lava.moe/"; ROOT_URL = "https://garden.lava.moe/";
HTTP_PORT = 3000; HTTP_PORT = 3000;
START_SSH_SERVER = true;
BUILTIN_SSH_SERVER_USER = "git";
SSH_DOMAIN = "git.lava.moe";
}; };
ui = lib.mkForce { ui = lib.mkForce {
DEFAULT_THEME = "catppuccin-maroon-auto"; DEFAULT_THEME = "catppuccin-maroon-auto";
@ -35,6 +38,12 @@
stateDir = "/persist/forgejo"; stateDir = "/persist/forgejo";
}; };
systemd.services.forgejo.serviceConfig = {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
PrivateUsers = lib.mkForce false;
};
catppuccin.forgejo.enable = true; catppuccin.forgejo.enable = true;
environment.systemPackages = [ config.services.forgejo.package ]; environment.systemPackages = [ config.services.forgejo.package ];

10
containers/citrine/flake.nix
View file

@ -18,16 +18,6 @@
name = "citrine"; name = "citrine";
subnet = "3"; subnet = "3";
in { in {
# TODO: this is likely dandelion specific
networking.firewall.extraCommands = ''
ip6tables -t nat -A PREROUTING -d fd0d::1:1003 -p tcp --dport 22 -j DNAT --to-destination fd0d:1::${subnet}:2
ip6tables -t nat -A POSTROUTING -d fd0d:1::${subnet}:2 -p tcp --dport 22 -j SNAT --to-source fd0d::1:1003
'';
networking.firewall.extraStopCommands = ''
ip6tables -t nat -D PREROUTING -d fd0d::1:1003 -p tcp --dport 22 -j DNAT --to-destination fd0d:1::${subnet}:2 || true
ip6tables -t nat -D POSTROUTING -d fd0d:1::${subnet}:2 -p tcp --dport 22 -j SNAT --to-source fd0d::1:1003 || true
'';
services.nginx.virtualHosts."garden.lava.moe" = { services.nginx.virtualHosts."garden.lava.moe" = {
useACMEHost = "lava.moe"; useACMEHost = "lava.moe";
forceSSL = true; forceSSL = true;