From a84141cf1578da5a50ad794270f7737d7f67bb32 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cyryl=20P=C5=82otnicki?= <cyplo@cyplo.dev>
Date: Sun, 30 Oct 2022 19:24:46 +0000
Subject: [PATCH] allow gitea (and everyone else) to bind to low ports

---
 nixos/boxes/vpsfree1/gitea.nix | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/nixos/boxes/vpsfree1/gitea.nix b/nixos/boxes/vpsfree1/gitea.nix
index 9d215878..e5acc574 100644
--- a/nixos/boxes/vpsfree1/gitea.nix
+++ b/nixos/boxes/vpsfree1/gitea.nix
@@ -1,15 +1,17 @@
 { config, pkgs, inputs, lib, ... }:
 let
   httpPort = 8083;
-  sshContainerPort = 22222;
-  sshHostPort = 22;
+  sshPort = 22;
   domain = "git.cyplo.dev";
   baseurl = "https://${domain}";
   path = "/var/lib/gitea";
 in {
   imports = [ ../nginx.nix ];
 
-  networking.firewall.allowedTCPPorts = [ sshHostPort ];
+  boot.kernel.sysctl = { "net.ipv4.ip_unprivileged_port_start" = 0; };
+  systemd.services.systemd-sysctl.enable = lib.mkForce true;
+
+  networking.firewall.allowedTCPPorts = [ sshPort ];
   services.nginx = {
     virtualHosts = {
       "${domain}" = {
@@ -30,8 +32,8 @@ in {
         hostPort = httpPort;
       }
       {
-        containerPort = sshContainerPort;
-        hostPort = sshHostPort;
+        containerPort = sshPort;
+        hostPort = sshPort;
       }
     ];
     bindMounts = {
@@ -52,8 +54,8 @@ in {
         settings = {
           server = {
             START_SSH_SERVER = true;
-            SSH_PORT = sshHostPort;
-            SSH_LISTEN_PORT = sshContainerPort;
+            SSH_PORT = sshPort;
+            SSH_LISTEN_PORT = sshPort;
             DISABLE_SSH = false;
           };
         };