From 19b2eb37e5f5ffcf38e64da71e2b77a6d400998b Mon Sep 17 00:00:00 2001
From: asyncnomi <federez@asyncnomi.fr>
Date: Mon, 23 Jun 2025 00:45:00 +0200
Subject: [PATCH] dual ip for forgejo, remove nft

---
 hive.nix                 |  4 +-
 profiles/forgejo.nix     | 88 ++++++++++------------------------------
 profiles/vogon/guest.nix | 11 ++---
 3 files changed, 30 insertions(+), 73 deletions(-)

diff --git a/hive.nix b/hive.nix
index 5092858..75626a2 100644
--- a/hive.nix
+++ b/hive.nix
@@ -213,7 +213,7 @@ in
     deployment.tags = [ "postfix" ];
 
     vogon.networking = {
-      last-octet = 163;
+      last-octet = [ 163 ];
       wan-mac = "00:16:3e:c7:aa:78";
     };
 
@@ -228,7 +228,7 @@ in
     deployment.tags = [ "git" "forgejo" ];
 
     vogon.networking = {
-      last-octet = 164;
+      last-octet = [ 164 165 ];
       wan-mac = "00:16:3e:cc:71:f3";
     };
 
diff --git a/profiles/forgejo.nix b/profiles/forgejo.nix
index b9a1449..0e7a521 100644
--- a/profiles/forgejo.nix
+++ b/profiles/forgejo.nix
@@ -6,6 +6,9 @@ let
 
     domain = "federez.net";
     fqdn = "git.${domain}";
+
+    sys-ip = "193.54.193.164";
+    git-ip = "193.54.193.165";
 in
 {
     age.secrets = lib.mapAttrs
@@ -21,6 +24,14 @@ in
         postgresqlDatabases = [ cfg.database.name ];
     };
 
+    services.openssh = {
+        listenAddresses = [{
+            addr = "${sys-ip}";
+            port = 22;
+        }];
+        startWhenNeeded = false;
+    };
+
     services.forgejo = {
         enable = true;
         user = "forgejo";
@@ -37,10 +48,11 @@ in
         settings = {
             server = {
                 DOMAIN = "${fqdn}";
-                ROOT_URL = "https://${fqdn}/"; 
+                ROOT_URL = "https://${fqdn}/";
                 HTTP_PORT = 3000;
-                SSH_PORT = 222;
-                SSH_LISTEN_PORT = 2222;
+                SSH_LISTEN_HOST = "${git-ip}";
+                SSH_PORT = 22;
+                SSH_LISTEN_PORT = 22;
                 START_SSH_SERVER = true;
                 # Forgejo is installed under the forgejo user
                 # The builtin ssh server user must match this
@@ -90,6 +102,12 @@ in
         ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd})" || true
     '';
 
+    systemd.services.forgejo.serviceConfig = {
+        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+        PrivateUsers = lib.mkForce false;
+    };
+
     services.nginx = {
         enable = true;
         recommendedProxySettings = true;
@@ -102,67 +120,5 @@ in
         };
     };
 
-    # Setup port redirection and input filtering
-    networking = {
-        nat.enable = false;
-        firewall.enable = false;
-        nftables = {
-            enable = true;
-            checkRuleset = false;
-            # NixOs add is own shit, YANK IT :)
-            flushRuleset = true;
-            tables = {
-                filter = {
-                    content = ''
-                        chain input {
-                            type filter hook input priority 0
-                            policy drop
-
-                            # Authorized already setup connection
-                            ct state related,established accept
-
-                            # Reject sus stuff
-                            ct state invalid counter drop
-                            tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
-
-                            # ICMP
-                            icmp type { echo-request } limit rate 4/second accept
-                            icmpv6 type { echo-request } limit rate 4/second accept
-                            ip protocol icmp accept
-                            icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
-
-                            # SSH
-                            tcp dport 22 accept
-
-                            # HTTP/HTTPS
-                            tcp dport {443,80} accept
-
-                            # Allow loopback
-                            iif lo accept
-
-                            # Log anything else
-                            ip protocol tcp counter log prefix "tcp.in.dropped: "
-                            ip protocol udp counter log prefix "udp.in.dropped: "
-
-                        }
-
-                    '';
-                    family = "inet";
-                };
-                nat = {
-                    content = ''
-                        chain prerouting {
-                            type nat hook prerouting priority -100
-                            policy accept
-
-                            # Port redirection
-                            tcp dport 222 redirect to :2222
-                        }
-                    '';
-                    family = "inet";
-                };
-            };
-        };
-    };
-
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
\ No newline at end of file
diff --git a/profiles/vogon/guest.nix b/profiles/vogon/guest.nix
index fbe52e3..e90db43 100644
--- a/profiles/vogon/guest.nix
+++ b/profiles/vogon/guest.nix
@@ -8,11 +8,12 @@ in
   options.vogon = {
     networking = {
       last-octet = mkOption {
-        type = types.ints.between 161 174;
-        description = '''
-          Dernier octet de l'IPv4 de la machine.
+        type = types.listOf (types.ints.between 161 174);
+        description = ''
+          Liste des derniers octets de l'IPv4 de la machine.
         '';
-        example = 163;
+        example = [ 163 165 ];
+
       };
       wan-mac = mkOption {
         type = types.str;
@@ -32,7 +33,7 @@ in
     };
     networks."10-wan" = {
       matchConfig.Name = "wan";
-      address = [ "193.54.193.${toString cfg.networking.last-octet}/28" ];
+      address = map (octet: "193.54.193.${toString octet}/28") cfg.networking.last-octet;
       routes = [ { Gateway = "193.54.193.174"; } ];
       linkConfig.RequiredForOnline = "routable";
     };