From 1a7a1189e77025e970f4aa15157a9fd54e91d151 Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Fri, 3 Apr 2026 18:16:29 -0500
Subject: [PATCH] privileged port permissions for https

---
 modules/features/forgejo.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/modules/features/forgejo.nix b/modules/features/forgejo.nix
index ebd711d..57dbdd8 100644
--- a/modules/features/forgejo.nix
+++ b/modules/features/forgejo.nix
@@ -2,6 +2,7 @@
   flake.modules.nixos.forgejo = {config, pkgs, lib, ... }:
     let
       cfg = config.forgejo;
+      needsPrivilegedPort = cfg.port < 1024;
     in
     {
       options.forgejo = {
@@ -25,6 +26,12 @@
       config = lib.mkIf cfg.enable {
         networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.port ];
 
+        systemd.services.forgejo.serviceConfig = lib.mkIf needsPrivilegedPort {
+          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+          CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+          PrivateUsers = lib.mkForce false;
+        };
+
         sops.secrets = {
           "forgejo/secret_key".owner = config.services.forgejo.user;
           "forgejo/internal_token".owner = config.services.forgejo.user;