feat: change forgejo user to git and allow git to login

2025-10-11 07:10:39 +02:00 · 2024-03-13 02:08:40 +01:00 · 2024-03-13 02:08:40 +01:00 · 1631c116fd
commit 1631c116fd
parent 65b638443b
2 changed files with 20 additions and 5 deletions
--- a/hosts/ward/guests/forgejo.nix
+++ b/hosts/ward/guests/forgejo.nix
@ -78,14 +78,26 @@ in {
    };
  };
-  # Recommended by forgejo: https://forgejo.org/docs/latest/admin/recommendations/#git-over-ssh
+  users.groups.git = {};
-  services.openssh.settings.AcceptEnv = "GIT_PROTOCOL";
+  users.users.git = {
    isSystemUser = true;
    useDefaultShell = true;
    group = "git";
    home = config.services.forgejo.stateDir;
  };
  services.openssh = {
    authorizedKeysFiles = lib.mkForce [
      "${config.services.forgejo.stateDir}/.ssh/authorized_keys"
    ];
    # Recommended by forgejo: https://forgejo.org/docs/latest/admin/recommendations/#git-over-ssh
    settings.AcceptEnv = "GIT_PROTOCOL";
  };
  environment.persistence."/persist".directories = [
    {
      directory = config.services.forgejo.stateDir;
-      user = "forgejo";
+      inherit (config.services.forgejo) user group;
      group = "forgejo";
      mode = "0700";
    }
  ];
@ -94,6 +106,8 @@ in {
    enable = true;
    # TODO db backups
    # dump.enable = true;
    user = "git";
    group = "git";
    lfs.enable = true;
    mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
    settings = {
@ -148,6 +162,7 @@ in {
        ROOT_URL = "https://${forgejoDomain}/";
        LANDING_PAGE = "login";
        SSH_PORT = 9922;
        SSH_USER = "git";
      };
      service = {
        DISABLE_REGISTRATION = false;
--- a/modules/config/users.nix
+++ b/modules/config/users.nix
@ -23,7 +23,7 @@
    influxdb2 = uidGid 986;
    telegraf = uidGid 985;
    rtkit = uidGid 984;
-    forgejo = uidGid 983;
+    git = uidGid 983;
    redis-paperless = uidGid 982;
    nixseparatedebuginfod = uidGid 981;
    msr = uidGid 980;