Disable ssh for gitea, and associated routing/rules

services/fail2ban/gitea.nix

@@ -1,9 +0,0 @@
-{...}: {
-  imports = [./default.nix];
-  services.fail2ban.jails.gitea = ''
-    enabled = true
-    filter = sshd
-    ports = 30922
-    backend = systemd
-  '';
-}

services/fail2ban/traefik.nix

@@ -1,17 +1,9 @@
 {...}: {
   imports = [./default.nix];
-  services.fail2ban.jails = {
-    traefik-http = ''
-      enabled = true
-      filter = traefik-auth
-      ports = http,https,2222
-      backend = systemd
-    '';
-    traefik-ssh = ''
-      enabled = true
-      filter = sshd
-      ports = 2222
-      backend = systemd
-    '';
-  };
+  services.fail2ban.jails.traefik = ''
+    enabled = true
+    filter = traefik-auth
+    ports = http,https
+    backend = systemd
+  '';
 }

services/gitea/default.nix

@@ -1,13 +1,11 @@
 {...}: {
-  imports = [ ../fail2ban/gitea.nix ];
   services.gitea = {
     enable = true;
     settings = {
       server = {
         ROOT_URL = "https://git.xenia.me.uk";
         DOMAIN = "git.xenia.me.uk";
-        SSH_DOMAIN = "git.xenia.me.uk";
-        SSH_PORT = 2222;
+        DISABLE_SSH = true;
       };
       service.DISABLE_REGISTRATION = true;
       ui = {

services/traefik/default.nix

@@ -13,7 +13,6 @@
           };
         };
         https = {address = ":443";};
-        ssh = {address = ":2222";};
         traefik-internal = {address = ":8080";};
       };
       certificatesResolvers = {
@@ -51,6 +50,6 @@
   };
   networking.firewall = {
     enable = true;
-    allowedTCPPorts = [80 443 2222 8080];
+    allowedTCPPorts = [80 443 8080];
   };
 }

services/traefik/gitea.nix

@@ -10,13 +10,5 @@
       };
       services.gitea-websecure.loadBalancer.servers = [{url = "http://localhost:3000";}];
     };
-    tcp = {
-      routers.gitea-ssh = {
-        rule = "HostSNI(`git.xenia.me.uk`)";
-        entryPoints = ["ssh" "https"];
-        service = "ssh-redirect";
-        tls = {certResolver = "default";};
-      };
-    };
   };
 }