john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

privileged port permissions for https

Browse Source
This commit is contained in:
John Lancaster
2026-04-03 18:16:29 -05:00
parent ff74205c57
commit 1a7a1189e7
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/features/forgejo.nix
+7
View File
@@ -2,6 +2,7 @@
flake.modules.nixos.forgejo = {config, pkgs, lib, ... }: flake.modules.nixos.forgejo = {config, pkgs, lib, ... }:
let let
cfg = config.forgejo; cfg = config.forgejo;
needsPrivilegedPort = cfg.port < 1024;
in in
{ {
options.forgejo = { options.forgejo = {
@@ -25,6 +26,12 @@
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.port ]; networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.port ];
systemd.services.forgejo.serviceConfig = lib.mkIf needsPrivilegedPort {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
PrivateUsers = lib.mkForce false;
};
sops.secrets = { sops.secrets = {
"forgejo/secret_key".owner = config.services.forgejo.user; "forgejo/secret_key".owner = config.services.forgejo.user;
"forgejo/internal_token".owner = config.services.forgejo.user; "forgejo/internal_token".owner = config.services.forgejo.user;