{ ... }:
{
  # ssh config for forgejo
  # need ip forward for nat
  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = 1;
  };

  networking.firewall = {
    # open port explicitly
    allowedTCPPorts = [ 22 ];
    # git.oxapentane.com: port forward 22 to forgejo
    # TODO do a proper thing with ipv6
    extraCommands = ''
      iptables -t nat -I PREROUTING -p tcp --dport 22 -d 116.202.5.66 -j DNAT --to-destination 10.89.88.15:2222
      iptables ! -o lo -t nat -A POSTROUTING -j MASQUERADE
    '';
    extraStopCommands = ''
      iptables -t nat -D PREROUTING -p tcp --dport 22 -d 116.202.5.66 -j DNAT --to-destination 10.89.88.15:2222 || true
    '';
  };
  # host sshd: only listen on oxapentane.com and mgmt vpn
  services.openssh.listenAddresses =
    map
      (a: {
        addr = a;
        port = 22;
      })
      [
        # enp1s0
        "188.245.196.27"
        "2a01:4f8:c17:7f8a::1"
        # wg-0xa-mgmt
        "10.89.87.1"
        "fd31:185d:722e::1"
      ];

  services.caddy.virtualHosts."git.oxapentane.com".extraConfig =
    "reverse_proxy 10.89.88.15:3000 [fd31:185d:722f::15]:3000";
}