Implement SSH forwarding for Forgejo Git access

- Add nginx stream configuration on reverse-proxy to forward port 2222 to apps:22 - Update firewall rules to allow port 2222 for Git SSH access - Configure Forgejo to use SSH_PORT = 2222 for Git operations - Add comprehensive SSH forwarding research documentation - Enable Git operations via git@git.geokkjer.eu:2222 Phase 1 implementation using nginx stream module complete. Ready for testing and potential Phase 2 migration to HAProxy.
2025-06-07 15:21:11 +02:00 · 2025-06-07 15:21:11 +02:00 · a35d9ff420
commit a35d9ff420
parent 1e75db5f15
3 changed files with 327 additions and 14 deletions
--- a/machines/grey-area/services/forgejo.nix
+++ b/machines/grey-area/services/forgejo.nix
@ -15,6 +15,7 @@
    server = {
      ROOT_URL = "http://apps:3000";
      SSH_DOMAIN = "git.geokkjer.eu";
+      SSH_PORT = 2222;
    };
    repository = {
      ENABLE_PUSH_CREATE_USER = true;
--- a/machines/reverse-proxy/configuration.nix
+++ b/machines/reverse-proxy/configuration.nix
@ -1,9 +1,8 @@
-{ pkgs, configs, lib, ... }:
-let
-  Host = "vps1.tail807ea.ts.net";
-in
+{ pkgs, config, lib, ... }:
+
 {
  imports = [ 
+    ./gandicloud.nix
    ../../modules/common/base.nix
    ../../modules/users/sma.nix
    ../../modules/security/ssh-keys.nix
@ -20,11 +19,15 @@ in
  # DMZ-specific firewall configuration - very restrictive
  networking.firewall = {
    enable = true;
-    # Only allow HTTP/HTTPS from external network
-    allowedTCPPorts = [ 80 443 ];
+    # Allow HTTP/HTTPS from external network and Git SSH on port 2222
+    allowedTCPPorts = [ 80 443 2222 ];
    allowedUDPPorts = [ ];
-    # SSH only allowed on Tailscale interface (DMZ security)
-    interfaces.tailscale0.allowedTCPPorts = [ 22 ];
+    # SSH only allowed from Tailscale network (100.64.0.0/10)
+    extraCommands = ''
+      # Allow SSH only from Tailscale network
+      iptables -A nixos-fw -p tcp --dport 22 -s 100.64.0.0/10 -j ACCEPT
+      iptables -A nixos-fw -p tcp --dport 22 -j DROP
+    '';
    # Explicitly block all other traffic
    rejectPackets = true;
  };
@ -52,12 +55,8 @@ in
      ClientAliveInterval = 300;
      ClientAliveCountMax = 2;
    };
-    listenAddresses = [
-      {
-        addr = "100.96.189.104";  # Tailscale IP only
-        port = 22;
-      }
-    ];
+    # Let SSH listen on default port, firewall restricts to Tailscale interface
+    # This allows Tailscale to assign IP dynamically based on hostname
  };
  
  # nginx reverse proxy
@ -81,6 +80,21 @@ in
      #  locations."/".proxyPass = "/var/wwww/homepage/";
      #};
    };
+
+    # Stream configuration for SSH forwarding to Git server
+    streamConfig = ''
+      upstream git_ssh_backend {
+          server apps:22;
+      }
+      
+      server {
+          listen 2222;
+          proxy_pass git_ssh_backend;
+          proxy_timeout 300s;
+          proxy_connect_timeout 10s;
+          proxy_responses 1;
+      }
+    '';
  };
  # acme let's encrypt
  security.acme = {