allow gitea (and everyone else) to bind to low ports

2022-10-30 19:24:46 +00:00 · 2022-10-30 19:24:46 +00:00 · a84141cf15
parent 1114bb3fd1
commit a84141cf15
1 changed files with 9 additions and 7 deletions
--- a/nixos/boxes/vpsfree1/gitea.nix
+++ b/nixos/boxes/vpsfree1/gitea.nix
@ -1,15 +1,17 @@
 { config, pkgs, inputs, lib, ... }:
 let
  httpPort = 8083;
-  sshContainerPort = 22222;
-  sshHostPort = 22;
+  sshPort = 22;
  domain = "git.cyplo.dev";
  baseurl = "https://${domain}";
  path = "/var/lib/gitea";
 in {
  imports = [ ../nginx.nix ];

-  networking.firewall.allowedTCPPorts = [ sshHostPort ];
+  boot.kernel.sysctl = { "net.ipv4.ip_unprivileged_port_start" = 0; };
+  systemd.services.systemd-sysctl.enable = lib.mkForce true;
+
+  networking.firewall.allowedTCPPorts = [ sshPort ];
  services.nginx = {
    virtualHosts = {
      "${domain}" = {
@ -30,8 +32,8 @@ in {
        hostPort = httpPort;
      }
      {
-        containerPort = sshContainerPort;
-        hostPort = sshHostPort;
+        containerPort = sshPort;
+        hostPort = sshPort;
      }
    ];
    bindMounts = {
@ -52,8 +54,8 @@ in {
        settings = {
          server = {
            START_SSH_SERVER = true;
-            SSH_PORT = sshHostPort;
-            SSH_LISTEN_PORT = sshContainerPort;
+            SSH_PORT = sshPort;
+            SSH_LISTEN_PORT = sshPort;
            DISABLE_SSH = false;
          };
        };