fix: allow forgejo to bind to tcp port 22

nixos/modules/gitea.nix

@@ -74,6 +74,12 @@ in
       vmOverCommit = true;
     };
 
+    systemd.services.forgejo.serviceConfig = {
+      AmbientCapabilities = lib.mkForce "CAP_NET_BIND_SERVICE";
+      CapabilityBoundingSet = lib.mkForce "CAP_NET_BIND_SERVICE";
+      PrivateUsers = lib.mkForce false;
+    };
+
     services.nginx.virtualHosts."git.${config.networking.domain}" = {
       enableACME = true;
       forceSSL = true;