From 2a25c42063be036931af98e37254175feb23d33b Mon Sep 17 00:00:00 2001
From: Geir Okkenhaug Jerstad <geokkjer@gmail.com>
Date: Tue, 10 Jun 2025 23:03:23 +0200
Subject: [PATCH] fixed ssh forwarding to git.geokkjer.eu

---
 machines/grey-area/services/forgejo.nix  | 22 ++++++++++++++++++---
 machines/reverse-proxy/configuration.nix | 25 ++++++++++++++----------
 2 files changed, 34 insertions(+), 13 deletions(-)

diff --git a/machines/grey-area/services/forgejo.nix b/machines/grey-area/services/forgejo.nix
index b5c2bb8..517f7c7 100644
--- a/machines/grey-area/services/forgejo.nix
+++ b/machines/grey-area/services/forgejo.nix
@@ -1,10 +1,26 @@
-{ pkgs, config, ... }:
 {
+  pkgs,
+  config,
+  ...
+}: {
+  # Create the git user before Forgejo tries to use it
+  users.users.git = {
+    isSystemUser = true;
+    group = "git";
+    shell = pkgs.bash;
+    home = "/var/lib/forgejo";
+    createHome = true;
+    description = "Forgejo Git Service";
+  };
+
+  users.groups.git = {};
+
   services.forgejo = {
     enable = true;
-    user = "git";  # Explicitly set to 'git' user for SSH compatibility
+    user = "git"; # Use the git user we created above
+    group = "git";
   };
-   
+
   services.forgejo.settings = {
     DEFAULT = {
       RUN_MODE = "prod";
diff --git a/machines/reverse-proxy/configuration.nix b/machines/reverse-proxy/configuration.nix
index 115cf13..484e5d5 100644
--- a/machines/reverse-proxy/configuration.nix
+++ b/machines/reverse-proxy/configuration.nix
@@ -1,7 +1,10 @@
-{ pkgs, config, lib, ... }:
-
 {
-  imports = [ 
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  imports = [
     ./gandicloud.nix
     ../../modules/common/base.nix
     ../../modules/network/extraHosts.nix
@@ -10,7 +13,9 @@
   ];
 
   environment.systemPackages = with pkgs; [
-    neovim fastfetch tailscale
+    neovim
+    fastfetch
+    tailscale
   ];
 
   # Hostname configuration
@@ -21,8 +26,8 @@
     enable = true;
     # Allow HTTP/HTTPS from external network and Git SSH on port 2222
     # Temporarily allow SSH from everywhere - rely on fail2ban for protection
-    allowedTCPPorts = [ 22 80 443 2222 ];
-    allowedUDPPorts = [ ];
+    allowedTCPPorts = [22 80 443 2222];
+    allowedUDPPorts = [];
     # Explicitly block all other traffic
     rejectPackets = true;
   };
@@ -51,7 +56,7 @@
       ClientAliveCountMax = 2;
     };
   };
-  
+
   # nginx reverse proxy
   services.nginx = {
     enable = true;
@@ -79,7 +84,7 @@
       upstream git_ssh_backend {
           server grey-area:22;
       }
-      
+
       server {
           listen 2222;
           proxy_pass git_ssh_backend;
@@ -93,7 +98,7 @@
   security.acme = {
     acceptTerms = true;
     defaults = {
-    email = "geir@geokkjer.eu";
+      email = "geir@geokkjer.eu";
     };
   };
-}
\ No newline at end of file
+}