git: port forward ssh

hosts/cloud/networking.nix

@@ -19,7 +19,9 @@
       networkConfig = {
         Address = [
           "188.245.196.27/32"
+          "116.202.5.66/32"
           "2a01:4f8:c17:7f8a::1/64"
+          "2a01:4f8:c17:7f8a::617/64"
         ];
         DNS = [
           "2a01:4ff:ff00::add:1"

hosts/cloud/proxy/default.nix

@@ -52,7 +52,6 @@ in
       # Prevent injection of code in other mime types (XSS Attacks)
       add_header X-Content-Type-Options nosniff;
     '';
-    # default vhost
 
     virtualHosts."oxapentane.com" = {
       forceSSL = true;

hosts/cloud/proxy/git.nix

@@ -1,5 +1,37 @@
 { ... }:
 {
+  # ssh config for forgejo
+  # need ip forward for nat
+  boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; };
+
+  networking.firewall = {
+    # open port explicitly
+    allowedTCPPorts = [ 22 ];
+    # git.oxapentane.com: port forward 22 to forgejo
+    # TODO do a proper thing with ipv6
+    extraCommands = ''
+      iptables -t nat -I PREROUTING -p tcp --dport 22 -d 116.202.5.66 -j DNAT --to-destination 10.89.88.15:2222
+      iptables ! -o lo -t nat -A POSTROUTING -j MASQUERADE
+    '';
+    extraStopCommands = ''
+      iptables -t nat -D PREROUTING -p tcp --dport 22 -d 116.202.5.66 -j DNAT --to-destination 10.89.88.15:2222 || true
+    '';
+  };
+  # host sshd: only listen on oxapentane.com and mgmt vpn
+  services.openssh.listenAddresses = map (a :
+  {
+    addr = a;
+    port = 22;
+  }) [
+    # enp1s0
+    "188.245.196.27"
+    "2a01:4f8:c17:7f8a::1"
+    # wg-0xa-mgmt
+    "10.89.87.1"
+    "fd31:185d:722e::1"
+  ];
+
+
   services.nginx.upstreams.forgejo = {
     servers = {
       "10.89.88.15:3000" = { };