From 149a4313013631a7d55e6c4c7a91430da1c856ca Mon Sep 17 00:00:00 2001
From: Tim Schubert <dadada@dadada.li>
Date: Thu, 4 Jul 2024 23:12:12 +0200
Subject: [PATCH] fix: allow forgejo to bind to tcp port 22

---
 nixos/modules/gitea.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/nixos/modules/gitea.nix b/nixos/modules/gitea.nix
index 0c808bc..259815a 100644
--- a/nixos/modules/gitea.nix
+++ b/nixos/modules/gitea.nix
@@ -74,6 +74,12 @@ in
       vmOverCommit = true;
     };
 
+    systemd.services.forgejo.serviceConfig = {
+      AmbientCapabilities = lib.mkForce "CAP_NET_BIND_SERVICE";
+      CapabilityBoundingSet = lib.mkForce "CAP_NET_BIND_SERVICE";
+      PrivateUsers = lib.mkForce false;
+    };
+
     services.nginx.virtualHosts."git.${config.networking.domain}" = {
       enableACME = true;
       forceSSL = true;