services: forgejo: simplify sshd setup

Signed-off-by: Christoph Heiss <christoph@c8h4.io>
2024-08-24 17:47:58 +02:00 · 2024-08-24 17:47:58 +02:00 · be9bb3843c
parent dfeffdf041
commit be9bb3843c
1 changed files with 1 additions and 17 deletions
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@ -145,15 +145,6 @@ in {
      inherit (cfg) user group;
      mode = "0750";
    };
-    "/run/forgejo-dispatch/authorized-keys"."f+" = {
-      # sshd_config(5): The program must be owned by root, not writable by group or others
-      mode = "0755";
-      argument = builtins.concatStringsSep "\\n" [
-        "#!${lib.getExe pkgs.bash}"
-        ''
-          exec ${pkgs.toybox}/bin/cat "${config.services.forgejo.stateDir}/.ssh/authorized_keys"''
-      ];
-    };
  };

  services.nginx.virtualHosts.${fqdn} =
@ -182,14 +173,7 @@ in {
    extraGroups = [ "restic-backup" ];
  };

-  services.openssh = {
-    settings.AllowUsers = [ cfg.user ];
-    extraConfig = ''
-      Match User ${cfg.user}
-        AuthorizedKeysCommand /run/forgejo-dispatch/authorized-keys
-        AuthorizedKeysCommandUser ${cfg.user}
-    '';
-  };
+  services.openssh.settings.AllowUsers = [ cfg.user ];

  services.restic.backups.forgejo = {
    environmentFile = secrets."restic/rest-env".path;